search

aws / aws-iot-device-sdk-embedded-C

SDK for connecting to AWS IoT from a device using embedded C.
MIT License
974 stars 622 forks source link

Failed to resolve DNS: Hostname=**************8, ErrorCode=-11. #1866

Closed rakesh5283 closed 11 months ago

rakesh5283 commented 1 year ago

Hi,

I am trying to build the Embedded-C SDK using openssl1.1.1 library. I am able to build in our development enviornment.

But it stuck in SSL_connect() function and does not coming out of it.. and device get reboot.

Do I missing anything.

Thanks Rakesh

kar-rahul-aws commented 1 year ago

Hi @rakesh5283 Thanks for reporting this issue. Could you please let us know at which point the , function SSL_connect() gets stuck, or is it the function returens error code , and the device reboots ?

rakesh5283 commented 1 year ago

At below tlsHandshake() function when SSL_connect() get stuck, its in openssl_posix.c file. all other functions return 1 value which is SUCCESS.

Output of below code is:

16:33:59 -> **tlsHandshake will be called: *** 16:33:59 -> SSL_set1_host output is: 1. 16:33:59 -> SSL_set_fd output is: 1. 16:33:59 -> SSL_set_tlsext_host_name output is: 1. 16:33:59 -> SSL_Connect is going to call #######################

`static OpensslStatus_t tlsHandshake( const ServerInfo_t pServerInfo, OpensslParams_t pOpensslParams, const OpensslCredentials_t * pOpensslCredentials ) { OpensslStatus_t returnStatus = OPENSSL_SUCCESS; int32_t sslStatus = -1, verifyPeerCertStatus = X509_V_OK;

/* Validate the hostname against the server's certificate. */
/*vplDebugF("pServerInfo->pHostName  is:  %s.", pServerInfo->pHostName);
vplDebugF(" pOpensslParams->pSsl  is:  %d.", pOpensslParams->pSsl);*/

sslStatus = SSL_set1_host( pOpensslParams->pSsl, pServerInfo->pHostName );

vplDebugF("SSL_set1_host output is:  %d.", sslStatus);

if( sslStatus != 1 )
{
    LogError( ( "SSL_set1_host failed to set the hostname to validate." ) );
    vplDebug(("SSL_set1_host failed to set the hostname to validate."));
    returnStatus = OPENSSL_API_ERROR;
}

/* Enable SSL peer verification. */
if( returnStatus == OPENSSL_SUCCESS )
{
    SSL_set_verify( pOpensslParams->pSsl, SSL_VERIFY_PEER, NULL );

    /* Setup the socket to use for communication. */
    sslStatus =
        SSL_set_fd( pOpensslParams->pSsl, pOpensslParams->socketDescriptor );
        vplDebugF("SSL_set_fd output is:  %d.", sslStatus);

    if( sslStatus != 1 )
    {
        LogError( ( "SSL_set_fd failed to set the socket fd to SSL context." ) );
        vplDebug(("SSL_set_fd failed to set the socket fd to SSL context."));
        returnStatus = OPENSSL_API_ERROR;
    }
}

/* Perform the TLS handshake. */
if( returnStatus == OPENSSL_SUCCESS )
{
    setOptionalConfigurations( pOpensslParams->pSsl, pOpensslCredentials );

    vplDebug("SSL_Connect is going to call #######################");
    sslStatus = SSL_connect( pOpensslParams->pSsl );
    vplDebugF(("SSL_connect output is.: %d", sslStatus));
    int ret = 0;
    int error = SSL_get_error(pOpensslParams->pSsl,ret);
    vplDebugF(("SSL_get_error Eror is.: %d", error));

    if( sslStatus != 1 )
    {
        LogError( ( "SSL_connect failed to perform TLS handshake." ) );
        vplDebugF(("SSL_connect failed to perform TLS handshake.: %d",sslStatus));
        returnStatus = OPENSSL_HANDSHAKE_FAILED;
    }
}

/* Verify X509 certificate from peer. */
if( returnStatus == OPENSSL_SUCCESS )
{
    verifyPeerCertStatus = ( int32_t ) SSL_get_verify_result( pOpensslParams->pSsl );

    if( verifyPeerCertStatus != X509_V_OK )
    {
        LogError( ( "SSL_get_verify_result failed to verify X509 "
                    "certificate from peer." ) );
        vplDebug(("SSL_get_verify_result failed to verify X509 "
            "certificate from peer."));

        returnStatus = OPENSSL_HANDSHAKE_FAILED;
    }
}

return returnStatus;

}`

paulbartell commented 1 year ago

@rakesh5283 Are you using a proper hostname or an ip address? Currently, only proper hostnames are supported.

rakesh5283 commented 1 year ago

@paulbartell I am using AWS Endpoint name

I tried to print the error message and it show me below:

15:23:32 -> error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (null) À á process_server_certificate:certificate verify failed

The intersting thing is by using mosquitto command it send data to AWS IoT Core, the command is as per the below.

mosquitto_pub -h -ats.iot.ap-south-1.amazonaws.com --key privapem.key --cert certipem.crt --cafile RootCA1.pem -i testclient -q 1 -p 8883 -t testclient/example/topic -m 'Hello'

paulbartell commented 1 year ago

@rakesh5283 : A few more things to check if this is still a problem for you:

  1. Are you sure you have specified the RootCA1.pem file as the Root CA cert to verify against?
  2. If you are testing on a corporate network, it may also be that the TLS connection is being intercepted which could cause this type of failure.
  3. Is your system's time/date set? If the date is incorrect, openssl think that the server certificate is expired.
ActoryOu commented 11 months ago

Hi @rakesh5283, Have you checked the suggestion from @paulbartell? We'd like to get your feedback. Please feel free to ask if you have futher question.

Thanks.

rakesh5283 commented 11 months ago

Hi,

Sorry for reply late.

The issue is resolved now.. I am now able to send data to AWS IoT Core from my device.

It was openssl library version that was creating the problem with my device.

Thanks for your all support.

rakesh5283 commented 2 weeks ago

@paulbartell

Hi Paul, Thanks for your message .

The below point was not set to my device, once it set now its working..

3). Is your system's time/date set? If the date is incorrect, openssl think that the server certificate is expired.

I tried with python same certificates and it worked but from my device it was not working, then i changed the device time which is set from IDE and it works now..

Rakesh