iot_tls_connect error while using AWS IoT C SDK on tiny linux device

[shrinivasragolu]

Hi All, I Just copied the device certificate, root ca and certificate to /etc/certs folder in my roots. And I have changed "certDirectory", accordingly in subscribe_publish_sample.c file and build. I renamed certs accordingly // =================================================

define AWS_IOT_MQTT_HOST "a22j5sm6o3yzc5.iot.us-east-1.amazonaws.com"

define AWS_IOT_MQTT_PORT 8883

define AWS_IOT_MQTT_CLIENT_ID "RZA2M"

define AWS_IOT_MY_THING_NAME "RZA2M"

define AWS_IOT_ROOT_CA_FILENAME "root-CA.crt"

define AWS_IOT_CERTIFICATE_FILENAME "device.pem.crt"

define AWS_IOT_PRIVATE_KEY_FILENAME "private.pem.key"

// =================================================

when I run the application from command line, I am getting below error. Please help me in resolving this issue.

DEBUG: iot_tls_connect L#120 . Seeding the random number generator... DEBUG: iot_tls_connect L#128 . Loading the CA root certificate ... ERROR: iot_tls_connect L#131 failed ! mbedtls_x509_crt_parse returned -0x3e00 while parsing root cert

[alfred2g]

Hi @shrinivasragolu could you enable mbedTLS debugging, also

#define AWS_IOT_CERTIFICATE_FILENAME “device.pem.crt"
#define AWS_IOT_PRIVATE_KEY_FILENAME “private.pem.key" 

Regards, Alfred

[shrinivasragolu]

Hi Alfred,

Sorry for late response. Could you please let me know how to enable DEBUG option?

Some more details below regarding this issue

1) Using release version of 3.0.1 AWS Iot SDK as a built static library for the sample application 2) Using the mbedtls version 2.16.3. Is it proper version to work with? or any other versions are needed 3) Using MQTT port 443 instead of 8883

Still I am getting same below issue. Even my sample application could not able to prints using IOT_DEBUG prints..

Please help me in resolving below issue $ ./pubsub DEBUG: iot_tls_connect L#130 . Seeding the[ 18.777657] random: pubsub: uninitialized urandom read (127 bytes read) random number g[ 18.786413] random: pubsub: uninitialized urandom read (1024 bytes read) enerator... DEBUG: iot_tls_connect L#138 . Loading the CA root certificate ... ERROR: iot_tls_connect L#141 failed ! mbedtls_x509_crt_parse returned -0x3e00 while parsing root cert

Thanks, Srinivas.

[aggarg]

Using the mbedtls version 2.16.3. Is it proper version to work with? or any other versions are needed.

It is tested with version 2.16.5. You can run the following commands to get it as mention here: https://github.com/aws/aws-iot-device-sdk-embedded-C/blob/master/.travis.yml

# Get mbedtls.
wget -qO- https://github.com/ARMmbed/mbedtls/archive/mbedtls-2.16.5.tar.gz | tar xvz -C external_libs/mbedTLS --strip-components=1

# Get CppUTest.
wget -qO- https://github.com/cpputest/cpputest/archive/v3.6.tar.gz | tar xvz -C external_libs/CppUTest --strip-components=1

Thanks.

[shrinivasragolu]

Hi aggarg,

I could able to resolve the above issue using correct paths. But now encountering another issue -0x2700 LOG

Certificates Directory is rootCA = /tmp/root-CA.crt clientCRT = /tmp/device.pem.crt clientKey = /tmp/private.pem.key DEBUG: iot_tls_connect L#130 . Seeding the random number generator... DEBUG: iot_tls_connect L#138 . Loading the CA root certificate ... DEBUG: iot_tls_connect L#144 ok (0 skipped)

DEBUG: iot_tls_connect L#146 . Loading the client cert. and key... DEBUG: iot_tls_connect L#159 ok

DEBUG: iot_tls_connect L#161 . Connecting to a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com/443... DEBUG: iot_tls_connect L#180 ok

DEBUG: iot_tls_connect L#182 . Setting up the SSL/TLS structure... DEBUG: iot_tls_connect L#223

SSL state connect : 0 DEBUG: iot_tls_connect L#226 ok

DEBUG: iot_tls_connect L#228

SSL state connect : 0 DEBUG: iot_tls_connect L#229 . Performing the SSL/TLS handshake... DEBUG: _iot_tls_verify_cert L#49 Verify requested for (Depth 2):

DEBUG: _iot_tls_verify_cert L#51 cert. version : 3 serial number : 06:6C:9F:CF:99:BF:8C:0A:39:E2:F0:78:8A:43:E6:96:36:5B:CA issuer name : C=US, O=Amazon, CN=Amazon Root CA 1 subject name : C=US, O=Amazon, CN=Amazon Root CA 1 issued on : 2015-05-26 00:00:00 expires on : 2038-01-17 00:00:00 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true key usage : Digital Signature, Key Cert Sign, CRL Sign

DEBUG: _iot_tls_verify_cert L#54 This certificate has no flags

DEBUG: _iot_tls_verify_cert L#49 Verify requested for (Depth 1):

DEBUG: _iot_tls_verify_cert L#51 cert. version : 3 serial number : 06:7F:94:57:85:87:E8:AC:77:DE:B2:53:32:5B:BC:99:8B:56:0D issuer name : C=US, O=Amazon, CN=Amazon Root CA 1 subject name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon issued on : 2015-10-22 00:00:00 expires on : 2025-10-19 00:00:00 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true, max_pathlen=0 key usage : Digital Signature, Key Cert Sign, CRL Sign

DEBUG: _iot_tls_verify_cert L#54 This certificate has no flags

DEBUG: _iot_tls_verify_cert L#49 Verify requested for (Depth 0):

DEBUG: _iot_tls_verify_cert L#51 cert. version : 3 serial number : 08:E0:24:7A:A0:55:AD:C8:10:B1:10:4A:A9:A3:B5:B0 issuer name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon subject name : CN=.iot.ap-south-1.amazonaws.com issued on : 2019-10-29 00:00:00 expires on : 2020-10-17 12:00:00 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false subject alt name : .iot.ap-south-1.amazonaws.com, iot.ap-south-1.amazonaws.com key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

DEBUG: _iot_tls_verify_cert L#56 cert. version : 3 serial number : 08:E0:24:7A:A0:55:AD:C8:10:B1:10:4A:A9:A3:B5:B0 issuer name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon subject name : CN=.iot.ap-south-1.amazonaws.com issued on : 2019-10-29 00:00:00 expires on : 2020-10-17 12:00:00 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false subject alt name : .iot.ap-south-1.amazonaws.com, iot.ap-south-1.amazonaws.com key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

DEBUG: _iot_tls_verify_cert L#56 cert. version : 3 serial number : 08:E0:24:7A:A0:55:AD:C8:10:B1:10:4A:A9:A3:B5:B0 issuer name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon subject name : CN=.iot.ap-south-1.amazonaws.com issued on : 2019-10-29 00:00:00 expires on : 2020-10-17 12:00:00 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false subject alt name : .iot.ap-south-1.amazonaws.com, iot.ap-south-1.amazonaws.com key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

DEBUG: _iot_tls_verify_cert L#57 cert. version : 3 serial number : 08:E0:24:7A:A0:55:AD:C8:10:B1:10:4A:A9:A3:B5:B0 issuer name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon subject name : CN=.iot.ap-south-1.amazonaws.com issued on : 2019-10-29 00:00:00 expires on : 2020-10-17 12:00:00 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false subject alt name : .iot.ap-south-1.amazonaws.com, iot.ap-south-1.amazonaws.com key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

ERROR: iot_tls_connect L#232 failed ! mbedtls_ssl_handshake returned -0x2700

ERROR: iot_tls_connect L#234 Unable to verify the server's certificate. Either it is invalid, or you didn't set ca_file or ca_path to an appropriate value. Alternatively, you may want to use auth_mode=optional for testing purposes.

============================================================== aws-iot-config.h

define AWS_IOT_MQTT_HOST "a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com" ///< Customer specific MQTT HOST. The same will be used for Thing Shadow

define AWS_IOT_MQTT_PORT 443 ///< default port for MQTT/S

define AWS_IOT_MQTT_CLIENT_ID "RZA2M" ///< MQTT client ID should be unique for every device

define AWS_IOT_MY_THING_NAME "RZA2M" ///< Thing Name of the Shadow this device is associated with

define AWS_IOT_ROOT_CA_FILENAME "root-CA.crt" ///< Root CA file name

define AWS_IOT_CERTIFICATE_FILENAME "device.pem.crt" ///< device signed certificate file name

define AWS_IOT_PRIVATE_KEY_FILENAME "private.pem.key" ///< Device private key filename

// =================================================

Note: I have renamed downloaded certificates from AWS IoT core as above and tried with same names also

When I run pubsub library based application, I got below error and not able to understand what is the problem. I have used downloaded certificates as it is. I have certificates directory to /tmp for my convinience.

Please suggest what might be causing the issue.

Thanks, Srinivas.

[shrinivasragolu]

Now I have progressed a little bit and using G2-RootCA1.pem as this CA is working file with Ubuntu 18.04 setup. But ended up with below mbedssl handshake issue. So I ran ssl_client2 from programs/ssl from mbedtls-2.16.5 source code.

Log

$ ./ssl_client2 server_name=a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com serv er_port=443 ca_file="/certs/G2-RootCA1.pem" crt_file="/certs/4960bd2f6b-certific ate.pem.crt" key_file="/certs/4960bd2f6b-private.pem.key"

. Seeding the random number generator... ok . Loading the CA root certificate ... ok (0 skipped) . Loading the client cert. and key... ok . Connecting to tcp/a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com/443... ok . Setting up the SSL/TLS structure...ssl_tls.c:0081: |3| set_timer to 0 ms ok . Performing the SSL/TLS handshake...ssl_tls.c:8084: |2| => handshake ssl_cli.c:3510: |2| client state: 0 ssl_tls.c:2755: |2| => flush output ssl_tls.c:2767: |2| <= flush output ssl_cli.c:3510: |2| client state: 1 ssl_tls.c:2755: |2| => flush output ssl_tls.c:2767: |2| <= flush output ssl_cli.c:0774: |2| => write client hello ssl_cli.c:0811: |3| client hello, max version: [3:3] ssl_cli.c:0703: |3| client hello, current time: 1540979544 ssl_cli.c:0821: |3| dumping 'client hello, random bytes' (32 bytes) ssl_cli.c:0821: |3| 0000: 5b d9 7b 58 08 9d 65 1d 97 66 ad 6b 33 9d d2 c2 [.{X..e..f.k3... ssl_cli.c:0821: |3| 0010: 7b fc b1 8b 81 bd f1 3e d7 07 c0 d4 7d 68 f8 ef {......>....}h.. ssl_cli.c:0874: |3| client hello, session id len.: 0 ssl_cli.c:0875: |3| dumping 'client hello, session id' (0 bytes) ssl_cli.c:0921: |3| client hello, add ciphersuite: cca8 ssl_cli.c:0921: |3| client hello, add ciphersuite: cca9 ssl_cli.c:0921: |3| client hello, add ciphersuite: ccaa ssl_cli.c:0921: |3| client hello, add ciphersuite: c02c ssl_cli.c:0921: |3| client hello, add ciphersuite: c030 ssl_cli.c:0921: |3| client hello, add ciphersuite: 009f ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ad ssl_cli.c:0921: |3| client hello, add ciphersuite: c09f ssl_cli.c:0921: |3| client hello, add ciphersuite: c024 ssl_cli.c:0921: |3| client hello, add ciphersuite: c028 ssl_cli.c:0921: |3| client hello, add ciphersuite: 006b ssl_cli.c:0921: |3| client hello, add ciphersuite: c00a ssl_cli.c:0921: |3| client hello, add ciphersuite: c014 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0039 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0af ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a3 ssl_cli.c:0921: |3| client hello, add ciphersuite: c087 ssl_cli.c:0921: |3| client hello, add ciphersuite: c08b ssl_cli.c:0921: |3| client hello, add ciphersuite: c07d ssl_cli.c:0921: |3| client hello, add ciphersuite: c073 ssl_cli.c:0921: |3| client hello, add ciphersuite: c077 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00c4 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0088 ssl_cli.c:0921: |3| client hello, add ciphersuite: c02b ssl_cli.c:0921: |3| client hello, add ciphersuite: c02f ssl_cli.c:0921: |3| client hello, add ciphersuite: 009e ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ac ssl_cli.c:0921: |3| client hello, add ciphersuite: c09e ssl_cli.c:0921: |3| client hello, add ciphersuite: c023 ssl_cli.c:0921: |3| client hello, add ciphersuite: c027 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0067 ssl_cli.c:0921: |3| client hello, add ciphersuite: c009 ssl_cli.c:0921: |3| client hello, add ciphersuite: c013 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0033 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ae ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a2 ssl_cli.c:0921: |3| client hello, add ciphersuite: c086 ssl_cli.c:0921: |3| client hello, add ciphersuite: c08a ssl_cli.c:0921: |3| client hello, add ciphersuite: c07c ssl_cli.c:0921: |3| client hello, add ciphersuite: c072 ssl_cli.c:0921: |3| client hello, add ciphersuite: c076 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00be ssl_cli.c:0921: |3| client hello, add ciphersuite: 0045 ssl_cli.c:0921: |3| client hello, add ciphersuite: ccac ssl_cli.c:0921: |3| client hello, add ciphersuite: ccad ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ab ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a7 ssl_cli.c:0921: |3| client hello, add ciphersuite: c038 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b3 ssl_cli.c:0921: |3| client hello, add ciphersuite: c036 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0091 ssl_cli.c:0921: |3| client hello, add ciphersuite: c091 ssl_cli.c:0921: |3| client hello, add ciphersuite: c09b ssl_cli.c:0921: |3| client hello, add ciphersuite: c097 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ab ssl_cli.c:0921: |3| client hello, add ciphersuite: 00aa ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a6 ssl_cli.c:0921: |3| client hello, add ciphersuite: c037 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b2 ssl_cli.c:0921: |3| client hello, add ciphersuite: c035 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0090 ssl_cli.c:0921: |3| client hello, add ciphersuite: c090 ssl_cli.c:0921: |3| client hello, add ciphersuite: c096 ssl_cli.c:0921: |3| client hello, add ciphersuite: c09a ssl_cli.c:0921: |3| client hello, add ciphersuite: c0aa ssl_cli.c:0921: |3| client hello, add ciphersuite: 009d ssl_cli.c:0921: |3| client hello, add ciphersuite: c09d ssl_cli.c:0921: |3| client hello, add ciphersuite: 003d ssl_cli.c:0921: |3| client hello, add ciphersuite: 0035 ssl_cli.c:0921: |3| client hello, add ciphersuite: c032 ssl_cli.c:0921: |3| client hello, add ciphersuite: c02a ssl_cli.c:0921: |3| client hello, add ciphersuite: c00f ssl_cli.c:0921: |3| client hello, add ciphersuite: c02e ssl_cli.c:0921: |3| client hello, add ciphersuite: c026 ssl_cli.c:0921: |3| client hello, add ciphersuite: c005 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a1 ssl_cli.c:0921: |3| client hello, add ciphersuite: c07b ssl_cli.c:0921: |3| client hello, add ciphersuite: 00c0 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0084 ssl_cli.c:0921: |3| client hello, add ciphersuite: c08d ssl_cli.c:0921: |3| client hello, add ciphersuite: c079 ssl_cli.c:0921: |3| client hello, add ciphersuite: c089 ssl_cli.c:0921: |3| client hello, add ciphersuite: c075 ssl_cli.c:0921: |3| client hello, add ciphersuite: 009c ssl_cli.c:0921: |3| client hello, add ciphersuite: c09c ssl_cli.c:0921: |3| client hello, add ciphersuite: 003c ssl_cli.c:0921: |3| client hello, add ciphersuite: 002f ssl_cli.c:0921: |3| client hello, add ciphersuite: c031 ssl_cli.c:0921: |3| client hello, add ciphersuite: c029 ssl_cli.c:0921: |3| client hello, add ciphersuite: c00e ssl_cli.c:0921: |3| client hello, add ciphersuite: c02d ssl_cli.c:0921: |3| client hello, add ciphersuite: c025 ssl_cli.c:0921: |3| client hello, add ciphersuite: c004 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a0 ssl_cli.c:0921: |3| client hello, add ciphersuite: c07a ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ba ssl_cli.c:0921: |3| client hello, add ciphersuite: 0041 ssl_cli.c:0921: |3| client hello, add ciphersuite: c08c ssl_cli.c:0921: |3| client hello, add ciphersuite: c078 ssl_cli.c:0921: |3| client hello, add ciphersuite: c088 ssl_cli.c:0921: |3| client hello, add ciphersuite: c074 ssl_cli.c:0921: |3| client hello, add ciphersuite: ccae ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ad ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b7 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0095 ssl_cli.c:0921: |3| client hello, add ciphersuite: c093 ssl_cli.c:0921: |3| client hello, add ciphersuite: c099 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ac ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b6 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0094 ssl_cli.c:0921: |3| client hello, add ciphersuite: c092 ssl_cli.c:0921: |3| client hello, add ciphersuite: c098 ssl_cli.c:0921: |3| client hello, add ciphersuite: ccab ssl_cli.c:0921: |3| client hello, add ciphersuite: 00a9 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a5 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00af ssl_cli.c:0921: |3| client hello, add ciphersuite: 008d ssl_cli.c:0921: |3| client hello, add ciphersuite: c08f ssl_cli.c:0921: |3| client hello, add ciphersuite: c095 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a9 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00a8 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a4 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ae ssl_cli.c:0921: |3| client hello, add ciphersuite: 008c ssl_cli.c:0921: |3| client hello, add ciphersuite: c08e ssl_cli.c:0921: |3| client hello, add ciphersuite: c094 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a8 ssl_cli.c:0934: |3| client hello, got 127 ciphersuites (excluding SCSVs) ssl_cli.c:0943: |3| adding EMPTY_RENEGOTIATION_INFO_SCSV ssl_cli.c:0992: |3| client hello, compress len.: 1 ssl_cli.c:0993: |3| client hello, compress alg.: 0 ssl_cli.c:0068: |3| client hello, adding server name extension: a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com ssl_cli.c:0186: |3| client hello, adding signature_algorithms extension ssl_cli.c:0271: |3| client hello, adding supported_elliptic_curves extension ssl_cli.c:0336: |3| client hello, adding supported_point_formats extension ssl_cli.c:0517: |3| client hello, adding encrypt_then_mac extension ssl_cli.c:0551: |3| client hello, adding extended_master_secret extension ssl_cli.c:0585: |3| client hello, adding session ticket extension ssl_cli.c:1070: |3| client hello, total extension length: 128 ssl_tls.c:3184: |2| => write handshake message ssl_tls.c:3343: |2| => write record ssl_tls.c:3420: |3| output record: msgtype = 22, version = [3:1], msglen = 429 ssl_tls.c:3425: |4| dumping 'output record sent to network' (434 bytes) ssl_tls.c:3425: |4| 0000: 16 03 01 01 ad 01 00 01 a9 03 03 5b d9 7b 58 08 ...........[.{X. ssl_tls.c:3425: |4| 0010: 9d 65 1d 97 66 ad 6b 33 9d d2 c2 7b fc b1 8b 81 .e..f.k3...{.... ssl_tls.c:3425: |4| 0020: bd f1 3e d7 07 c0 d4 7d 68 f8 ef 00 01 00 cc a8 ..>....}h....... ssl_tls.c:3425: |4| 0030: cc a9 cc aa c0 2c c0 30 00 9f c0 ad c0 9f c0 24 .....,.0.......$ ssl_tls.c:3425: |4| 0040: c0 28 00 6b c0 0a c0 14 00 39 c0 af c0 a3 c0 87 .(.k.....9...... ssl_tls.c:3425: |4| 0050: c0 8b c0 7d c0 73 c0 77 00 c4 00 88 c0 2b c0 2f ...}.s.w.....+./ ssl_tls.c:3425: |4| 0060: 00 9e c0 ac c0 9e c0 23 c0 27 00 67 c0 09 c0 13 .......#.'.g.... ssl_tls.c:3425: |4| 0070: 00 33 c0 ae c0 a2 c0 86 c0 8a c0 7c c0 72 c0 76 .3.........|.r.v ssl_tls.c:3425: |4| 0080: 00 be 00 45 cc ac cc ad 00 ab c0 a7 c0 38 00 b3 ...E.........8.. ssl_tls.c:3425: |4| 0090: c0 36 00 91 c0 91 c0 9b c0 97 c0 ab 00 aa c0 a6 .6.............. ssl_tls.c:3425: |4| 00a0: c0 37 00 b2 c0 35 00 90 c0 90 c0 96 c0 9a c0 aa .7...5.......... ssl_tls.c:3425: |4| 00b0: 00 9d c0 9d 00 3d 00 35 c0 32 c0 2a c0 0f c0 2e .....=.5.2.*.... ssl_tls.c:3425: |4| 00c0: c0 26 c0 05 c0 a1 c0 7b 00 c0 00 84 c0 8d c0 79 .&.....{.......y ssl_tls.c:3425: |4| 00d0: c0 89 c0 75 00 9c c0 9c 00 3c 00 2f c0 31 c0 29 ...u.....<./.1.) ssl_tls.c:3425: |4| 00e0: c0 0e c0 2d c0 25 c0 04 c0 a0 c0 7a 00 ba 00 41 ...-.%.....z...A ssl_tls.c:3425: |4| 00f0: c0 8c c0 78 c0 88 c0 74 cc ae 00 ad 00 b7 00 95 ...x...t........ ssl_tls.c:3425: |4| 0100: c0 93 c0 99 00 ac 00 b6 00 94 c0 92 c0 98 cc ab ................ ssl_tls.c:3425: |4| 0110: 00 a9 c0 a5 00 af 00 8d c0 8f c0 95 c0 a9 00 a8 ................ ssl_tls.c:3425: |4| 0120: c0 a4 00 ae 00 8c c0 8e c0 94 c0 a8 00 ff 01 00 ................ ssl_tls.c:3425: |4| 0130: 00 80 00 00 00 34 00 32 00 00 2f 61 32 67 37 74 .....4.2../a2g7t ssl_tls.c:3425: |4| 0140: 77 6d 71 6f 37 68 67 38 32 2d 61 74 73 2e 69 6f wmqo7hg82-ats.io ssl_tls.c:3425: |4| 0150: 74 2e 61 70 2d 73 6f 75 74 68 2d 31 2e 61 6d 61 t.ap-south-1.ama ssl_tls.c:3425: |4| 0160: 7a 6f 6e 61 77 73 2e 63 6f 6d 00 0d 00 16 00 14 zonaws.com...... ssl_tls.c:3425: |4| 0170: 06 03 06 01 05 03 05 01 04 03 04 01 03 03 03 01 ................ ssl_tls.c:3425: |4| 0180: 02 03 02 01 00 0a 00 18 00 16 00 19 00 1c 00 18 ................ ssl_tls.c:3425: |4| 0190: 00 1b 00 17 00 16 00 1a 00 15 00 14 00 13 00 12 ................ ssl_tls.c:3425: |4| 01a0: 00 0b 00 02 01 00 00 16 00 00 00 17 00 00 00 23 ...............# ssl_tls.c:3425: |4| 01b0: 00 00 .. ssl_tls.c:2755: |2| => flush output ssl_tls.c:2773: |2| message length: 434, out_left: 434 ssl_tls.c:2779: |2| ssl->f_send() returned 434 (-0xfffffe4e) ssl_tls.c:2807: |2| <= flush output ssl_tls.c:3476: |2| <= write record ssl_tls.c:3320: |2| <= write handshake message ssl_cli.c:1106: |2| <= write client hello ssl_cli.c:3510: |2| client state: 2 ssl_tls.c:2755: |2| => flush output ssl_tls.c:2767: |2| <= flush output ssl_cli.c:1499: |2| => parse server hello ssl_tls.c:4311: |2| => read record ssl_tls.c:2536: |2| => fetch input ssl_tls.c:2696: |2| in_left: 0, nb_want: 5 ssl_tls.c:2720: |2| in_left: 0, nb_want: 5 ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned -80 (-0x0050) ssl_tls.c:4973: |1| mbedtls_ssl_fetch_input() returned -80 (-0x0050) ssl_tls.c:4344: |1| ssl_get_next_record() returned -80 (-0x0050) ssl_cli.c:1506: |1| mbedtls_ssl_read_record() returned -80 (-0x0050) ssl_tls.c:8094: |2| <= handshake failed ! mbedtls_ssl_handshake returned -0x50

Last error was: -0x50 - NET - Connection was reset by peer

ssl_tls.c:8934: |2| => free ssl_tls.c:8999: |2| <= free

Please help me, how can I resolve this handshake issue.

Thanks in advance, Srinivas.

[dachalco]

Hello @shrinivasragolu

Unfortunately, since we didn't write it, I'm unable to provide detailed support for mbed-tls sample code. Though, I suspect it's not an issue with the code, but instead with the TLS parameters/configuration.

The following stood out to me:

ERROR: iot_tls_connect L#234 Unable to verify the server's certificate. Either it is invalid,
or you didn't set ca_file or ca_path to an appropriate value.
Alternatively, you may want to use auth_mode=optional for testing purposes.

First, I would suggest verifying your TLS configuration (key, certificate, port, etc.) with Mosquitto MQTT Client. It can ingest the same certificate and key files you are using. Here is a link on how to bridge Mosquitto MQTT Client with AWS IoT .

Lastly, there is the concept of policy. The certificates are used to identify your device, but your device also has a set of policies that define which IoT core operations it can perform. You can read more about policies here and refer to some policy examples here. You'll want to make sure your device's certificate has polices that allow it to connect and publish for example.

[shrinivasragolu]

Hi dachalco,

Actually error is not you have specified. These certificates, port and others are already verified from Ubuntu 18.04 same code repo including versions. Working perfectly fine on Ubuntu 18.04 setup

So using the same setup and certificates on embedded platform and facing mbedtls_ssl_handshake issue with -0x50 error. ./subscribe_publish_sample

AWS IoT SDK Version 3.0.1-

DEBUG: main L#163 rootCA /root/../certs/AmazonRootCA1.pem DEBUG: main L#164 clientCRT /root/../certs/774a17950a-certificate.pem.crt DEBUG: main L#165 clientKey /root/../certs/774a17950a-private.pem.key Connecting... Keep Alive count is 60000 DEBUG: iot_tls_connect L#130 . Seeding the random number generator... DEBUG: iot_tls_connect L#138 . Loading the CA root certificate ... DEBUG: iot_tls_connect L#144 ok (0 skipped)

DEBUG: iot_tls_connect L#146 . Loading the client cert. and key... DEBUG: iot_tls_connect L#159 ok

DEBUG: iot_tls_connect L#161 . Connecting to a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com/443... DEBUG: iot_tls_connect L#180 ok

DEBUG: iot_tls_connect L#182 . Setting up the SSL/TLS structure... DEBUG: iot_tls_connect L#223

SSL state connect : 0 DEBUG: iot_tls_connect L#226 ok

DEBUG: iot_tls_connect L#228

SSL state connect : 0 DEBUG: iot_tls_connect L#229 . Performing the SSL/TLS handshake... ERROR: iot_tls_connect L#232 failed ! mbedtls_ssl_handshake returned -0x50

ERROR: main L#195 Error(-4) connecting to a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com:443

Any inputs further? Please suggest.

thanks, Srinivas

[shrinivasragolu]

my client device specifications $ cat /proc/cpuinfo processor : 0 model name : ARMv7 Processor rev 1 (v7l) BogoMIPS : 1056.00 Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x4 CPU part : 0xc09 CPU revision : 1

Hardware : Generic R7S9210 (Flattened Device Tree) Revision : 0000 Serial : 0000000000000000 $ free total used free shared buffers cached Mem: 7544 4484 3060 40 0 304 -/+ buffers/cache: 4180 3364 Swap: 0 0 0

I am not getting any help to resolve this issue and spending days and days. I am suspecting the issue might be timing related (or) cpu clock related (or) memory footprint related (or) something else

I need this forum help badly to resolve the issue. Please ping me if you need any other data.

Thanks in advance, Srinivas.

[aggarg]

So it seems that you are not able to establish a TLS connection using the following:

rootCA - /root/../certs/AmazonRootCA1.pem
clientCRT - /root/../certs/774a17950a-certificate.pem.crt
clientKey - /root/../certs/774a17950a-private.pem.key
Endpoint: a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com

And you believe that all these credentials are okay as you are able to use the same to connect to AWS IoT elsewhere?

Would you please enable mbedtls debug logs and share.

Thanks.

[shrinivasragolu]

Yes aggarg,

I have used same certificates and CA on Ubuntu 18.04 ,Raspberry pi4 and successful.

This rootfs is read-only(axfs image, No RAM). Will it cause the problem?

I have used the utility ssl_client2 to find out the problem on embedded hardware and found below log command

$ ./ssl_client2 server_name=a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com serv er_port=443 ca_file=/root/../certs/AmazonRootCA1.pem crt_file=/root/../certs/774a17950a-certificate.pem.crt key_file=/root/../certs/774a17950a-private.pem.key

Please let me know if you need more logs. I just enabled DEBUG_LEVEL to 5 in mbedtls. Let me know is there any link to enable DEBUG messages further

https://pastebin.com/mNXhB0xj

Thanks, Srinivas

[aggarg]

I have used same certificates and CA on Ubuntu 18.04 ,Raspberry pi4 and successful.

Please help me understand the above - are you saying that if you take the exact same source code (AWS IoT C SDK + mbedTLS + Your Keys and Certs) and build it on an Ubuntu/Raspberry Pi, it works?

If the above is true, we can be relatively sure that the problem is with the hardware you are trying to run it on.

Next, we need to narrow down the problem. I know that mbedTLS makes calls to malloc and free and requires heap. I am not familiar with your platform but what do you mean when you say No RAM - do you mean no heap or something else? I am not sure about the Read Only issue but is it possible to change the rootfs to not be Read Only to check if it is causing the problem?

For enabling debug logs in mbedTLS, you need to have a custom config file like this one: https://github.com/aws/amazon-freertos/blob/master/libraries/3rdparty/mbedtls_config/aws_mbedtls_config.h and need to set MBEDTLS_CONFIG_FILE macro to your config file. You can then enable all the debug flags in the config file. Let me know if are not able to do this and I can try to do it on a Ubuntu machine so that we can get more detailed logs on your hardware.

Thanks.

[shrinivasragolu]

Yes aggarg, I was successful with (AWS IoT C SDK + mbedTLS + My Keys and Certs) on Ubuntu 18.04 and Raspberry Pi4 hardware. Not even a single line change.

Coming to the Hardware it is Renesas HW(RZA2M) which has Linux #44 https://www.renesas.com/us/en/products/software-tools/boards-and-kits/eval-kits/rz-a2m-evaluation-board-kit.html it is just evaluation purpose and will not continue till our end product hardware

Memory wise its read-only heper flash memory and sorry for my statement of "No RAM". Hyper RAM also available from my understanding and one thing is sure that file system is read-only. As you suggested I started porting the source code to another similar hardware with read-write access filesystem. I Will update the results.

I will enable all DEBUG settings in mbedtls-2.16.5/include/mbedtls/config.h (default config file) and test enough logs are generated or not.

If I don't get enough logs, will ask your help for sure.

[shrinivasragolu]

Hi aggarg, I have used different hardware(STM32MP157x-EV1) with a good amount of RAM and RW filesystem.

Unfortunately facing the same issue..

Also tried to enable debug logs by enabling the below macros in external_library/mbedtls/include/mbdedtls/config.h MBEDTLS_SSL_DEBUG_ALL MBEDTLS_DEBUG_C Also set all DEBUG_LEVEL and DFL_DEBUG_LEVEL to 5 in all files in mbedtls directory.

But could not able to see any logs on my device console when I run the subscribe_publish_sample.

Please help how can I enable complete mbedtls logs to identify the issue. As you mentioned in last post, try to enable debug logs on Ubuntu and provide me the steps. So I will port it to my repo.

Thanks in advance, Srinivas.

[aggarg]

You need to do the following steps to enable mbedTLS logs:

1. Un-comment #define MBEDTLS_SSL_DEBUG_ALL in config.h.
2. Set the debug level to 5.
3. Provide a callback to print the debug messages.

1 you have already done and here is how you can do 2 and 3. Please add the following at this line: https://github.com/aws/aws-iot-device-sdk-embedded-C/blob/master/platform/linux/mbedtls/network_mbedtls_wrapper.c#L129

    /* Enable debug logs. */
    mbedtls_ssl_conf_dbg(&(tlsDataParams->conf), debug_output, NULL);
    mbedtls_debug_set_threshold(5);

Also, add the definition of debug_output at the top of the same file:

static void debug_output(void *ctx, int level, const char *file, int line,
                         const char *str)
{
    const char *p, *basename;
    (void) ctx;

    /* Extract basename from file. */
    for(p = basename = file; *p != '\0'; p++) {
        if(*p == '/' || *p == '\\') {
            basename = p + 1;
        }
    }

    printf("%s:%04d: |%d| %s", basename, line, level, str);
}

You may need to replace printf with the corresponding function on your platform.

The above implementation of debug_output is taken from here: https://github.com/ARMmbed/mbed-os-example-tls/blob/5cca1f74a70855c17cf292f176d0c96db4980df9/tls-client/main.cpp#L316.

Thanks.

[shrinivasragolu]

Hi aggarg, Thanks for the steps and I followed it. Got the below output log Log

root@stm32mp1:~# ./subscribe_publish_sample

AWS IoT SDK Version 3.0.1-

DEBUG: main L#159 rootCA /home/root/../../../certs/AmazonRootCA1.pem DEBUG: main L#160 clientCRT /home/root/../../../certs/774a17950a-certificate.pem.crt DEBUG: main L#161 clientKey /home/root/../../../certs/774a17950a-private.pem.key Connecting... DEBUG: iot_tls_connect L#150 . Seeding the random number generator... DEBUG: iot_tls_connect L#158 . Loading the CA root certificate ... DEBUG: iot_tls_connect L#164 ok (0 skipped)

DEBUG: iot_tls_connect L#166 . Loading the client cert. and key... DEBUG: iot_tls_connect L#179 ok

DEBUG: iot_tls_connect L#181 . Connecting to a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com/443... DEBUG: iot_tls_connect L#200 ok

DEBUG: iot_tls_connect L#202 . Setting up the SSL/TLS structure... DEBUG: iot_tls_connect L#243

SSL state connect : 0 DEBUG: iot_tls_connect L#246 ok

DEBUG: iot_tls_connect L#248

SSL state connect : 0 DEBUG: iot_tls_connect L#249 . Performing the SSL/TLS handshake... ssl_tls.c:8084: |2| => handshake ssl_cli.c:3510: |2| client state: 0 ssl_tls.c:2755: |2| => flush output ssl_tls.c:2767: |2| <= flush output ssl_cli.c:3510: |2| client state: 1 ssl_tls.c:2755: |2| => flush output ssl_tls.c:2767: |2| <= flush output ssl_cli.c:0774: |2| => write client hello ssl_cli.c:0812: |3| client hello, max version: [3:3] ssl_cli.c:0703: |3| client hello, current time: 1592806344 ssl_cli.c:0821: |3| dumping 'client hello, random bytes' (32 bytes) ssl_cli.c:0821: |3| 0000: 5e f0 4b c8 de 27 23 49 d0 11 08 68 8a 32 f3 35 ^.K..'#I...h.2.5 sslcli.c:0821: |3| 0010: ac c5 91 bf 87 5f dd f1 9b 76 d8 0a cd 4d a7 01 ........v...M.. ssl_cli.c:0874: |3| client hello, session id len.: 0 ssl_cli.c:0875: |3| dumping 'client hello, session id' (0 bytes) ssl_cli.c:0922: |3| client hello, add ciphersuite: cca8 ssl_cli.c:0922: |3| client hello, add ciphersuite: cca9 ssl_cli.c:0922: |3| client hello, add ciphersuite: ccaa ssl_cli.c:0922: |3| client hello, add ciphersuite: c02c ssl_cli.c:0922: |3| client hello, add ciphersuite: c030 ssl_cli.c:0922: |3| client hello, add ciphersuite: 009f ssl_cli.c:0922: |3| client hello, add ciphersuite: c0ad ssl_cli.c:0922: |3| client hello, add ciphersuite: c09f ssl_cli.c:0922: |3| client hello, add ciphersuite: c024 ssl_cli.c:0922: |3| client hello, add ciphersuite: c028 ssl_cli.c:0922: |3| client hello, add ciphersuite: 006b ssl_cli.c:0922: |3| client hello, add ciphersuite: c00a ssl_cli.c:0922: |3| client hello, add ciphersuite: c014 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0039 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0af ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a3 ssl_cli.c:0922: |3| client hello, add ciphersuite: c087 ssl_cli.c:0922: |3| client hello, add ciphersuite: c08b ssl_cli.c:0922: |3| client hello, add ciphersuite: c07d ssl_cli.c:0922: |3| client hello, add ciphersuite: c073 ssl_cli.c:0922: |3| client hello, add ciphersuite: c077 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00c4 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0088 ssl_cli.c:0922: |3| client hello, add ciphersuite: c02b ssl_cli.c:0922: |3| client hello, add ciphersuite: c02f ssl_cli.c:0922: |3| client hello, add ciphersuite: 009e ssl_cli.c:0922: |3| client hello, add ciphersuite: c0ac ssl_cli.c:0922: |3| client hello, add ciphersuite: c09e ssl_cli.c:0922: |3| client hello, add ciphersuite: c023 ssl_cli.c:0922: |3| client hello, add ciphersuite: c027 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0067 ssl_cli.c:0922: |3| client hello, add ciphersuite: c009 ssl_cli.c:0922: |3| client hello, add ciphersuite: c013 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0033 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0ae ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a2 ssl_cli.c:0922: |3| client hello, add ciphersuite: c086 ssl_cli.c:0922: |3| client hello, add ciphersuite: c08a ssl_cli.c:0922: |3| client hello, add ciphersuite: c07c ssl_cli.c:0922: |3| client hello, add ciphersuite: c072 ssl_cli.c:0922: |3| client hello, add ciphersuite: c076 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00be ssl_cli.c:0922: |3| client hello, add ciphersuite: 0045 ssl_cli.c:0922: |3| client hello, add ciphersuite: ccac ssl_cli.c:0922: |3| client hello, add ciphersuite: ccad ssl_cli.c:0922: |3| client hello, add ciphersuite: 00ab ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a7 ssl_cli.c:0922: |3| client hello, add ciphersuite: c038 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00b3 ssl_cli.c:0922: |3| client hello, add ciphersuite: c036 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0091 ssl_cli.c:0922: |3| client hello, add ciphersuite: c091 ssl_cli.c:0922: |3| client hello, add ciphersuite: c09b ssl_cli.c:0922: |3| client hello, add ciphersuite: c097 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0ab ssl_cli.c:0922: |3| client hello, add ciphersuite: 00aa ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a6 ssl_cli.c:0922: |3| client hello, add ciphersuite: c037 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00b2 ssl_cli.c:0922: |3| client hello, add ciphersuite: c035 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0090 ssl_cli.c:0922: |3| client hello, add ciphersuite: c090 ssl_cli.c:0922: |3| client hello, add ciphersuite: c096 ssl_cli.c:0922: |3| client hello, add ciphersuite: c09a ssl_cli.c:0922: |3| client hello, add ciphersuite: c0aa ssl_cli.c:0922: |3| client hello, add ciphersuite: 009d ssl_cli.c:0922: |3| client hello, add ciphersuite: c09d ssl_cli.c:0922: |3| client hello, add ciphersuite: 003d ssl_cli.c:0922: |3| client hello, add ciphersuite: 0035 ssl_cli.c:0922: |3| client hello, add ciphersuite: c032 ssl_cli.c:0922: |3| client hello, add ciphersuite: c02a ssl_cli.c:0922: |3| client hello, add ciphersuite: c00f ssl_cli.c:0922: |3| client hello, add ciphersuite: c02e ssl_cli.c:0922: |3| client hello, add ciphersuite: c026 ssl_cli.c:0922: |3| client hello, add ciphersuite: c005 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a1 ssl_cli.c:0922: |3| client hello, add ciphersuite: c07b ssl_cli.c:0922: |3| client hello, add ciphersuite: 00c0 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0084 ssl_cli.c:0922: |3| client hello, add ciphersuite: c08d ssl_cli.c:0922: |3| client hello, add ciphersuite: c079 ssl_cli.c:0922: |3| client hello, add ciphersuite: c089 ssl_cli.c:0922: |3| client hello, add ciphersuite: c075 ssl_cli.c:0922: |3| client hello, add ciphersuite: 009c ssl_cli.c:0922: |3| client hello, add ciphersuite: c09c ssl_cli.c:0922: |3| client hello, add ciphersuite: 003c ssl_cli.c:0922: |3| client hello, add ciphersuite: 002f ssl_cli.c:0922: |3| client hello, add ciphersuite: c031 ssl_cli.c:0922: |3| client hello, add ciphersuite: c029 ssl_cli.c:0922: |3| client hello, add ciphersuite: c00e ssl_cli.c:0922: |3| client hello, add ciphersuite: c02d ssl_cli.c:0922: |3| client hello, add ciphersuite: c025 ssl_cli.c:0922: |3| client hello, add ciphersuite: c004 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a0 ssl_cli.c:0922: |3| client hello, add ciphersuite: c07a ssl_cli.c:0922: |3| client hello, add ciphersuite: 00ba ssl_cli.c:0922: |3| client hello, add ciphersuite: 0041 ssl_cli.c:0922: |3| client hello, add ciphersuite: c08c ssl_cli.c:0922: |3| client hello, add ciphersuite: c078 ssl_cli.c:0922: |3| client hello, add ciphersuite: c088 ssl_cli.c:0922: |3| client hello, add ciphersuite: c074 ssl_cli.c:0922: |3| client hello, add ciphersuite: ccae ssl_cli.c:0922: |3| client hello, add ciphersuite: 00ad ssl_cli.c:0922: |3| client hello, add ciphersuite: 00b7 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0095 ssl_cli.c:0922: |3| client hello, add ciphersuite: c093 ssl_cli.c:0922: |3| client hello, add ciphersuite: c099 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00ac ssl_cli.c:0922: |3| client hello, add ciphersuite: 00b6 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0094 ssl_cli.c:0922: |3| client hello, add ciphersuite: c092 ssl_cli.c:0922: |3| client hello, add ciphersuite: c098 ssl_cli.c:0922: |3| client hello, add ciphersuite: ccab ssl_cli.c:0922: |3| client hello, add ciphersuite: 00a9 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a5 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00af ssl_cli.c:0922: |3| client hello, add ciphersuite: 008d ssl_cli.c:0922: |3| client hello, add ciphersuite: c08f ssl_cli.c:0922: |3| client hello, add ciphersuite: c095 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a9 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00a8 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a4 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00ae ssl_cli.c:0922: |3| client hello, add ciphersuite: 008c ssl_cli.c:0922: |3| client hello, add ciphersuite: c08e ssl_cli.c:0922: |3| client hello, add ciphersuite: c094 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a8 ssl_cli.c:0934: |3| client hello, got 127 ciphersuites (excluding SCSVs) ssl_cli.c:0943: |3| adding EMPTY_RENEGOTIATION_INFO_SCSV ssl_cli.c:0992: |3| client hello, compress len.: 1 ssl_cli.c:0994: |3| client hello, compress alg.: 0 ssl_cli.c:0069: |3| client hello, adding server name extension: a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com ssl_cli.c:0186: |3| client hello, adding signature_algorithms extension ssl_cli.c:0271: |3| client hello, adding supported_elliptic_curves extension ssl_cli.c:0336: |3| client hello, adding supported_point_formats extension ssl_cli.c:0518: |3| client hello, adding encrypt_then_mac extension ssl_cli.c:0552: |3| client hello, adding extended_master_secret extension ssl_cli.c:0630: |3| client hello, adding alpn extension ssl_cli.c:0585: |3| client hello, adding session ticket extension ssl_cli.c:1071: |3| client hello, total extension length: 149 ssl_tls.c:3184: |2| => write handshake message ssl_tls.c:3343: |2| => write record ssl_tls.c:3423: |3| output record: msgtype = 22, version = [3:1], msglen = 450 ssl_tls.c:3426: |4| dumping 'output record sent to network' (455 bytes) ssl_tls.c:3426: |4| 0000: 16 03 01 01 c2 01 00 01 be 03 03 5e f0 4b c8 de ...........^.K.. ssl_tls.c:3426: |4| 0010: 27 23 49 d0 11 08 68 8a 32 f3 35 ac c5 91 bf 87 '#I...h.2.5..... ssltls.c:3426: |4| 0020: 5f dd f1 9b 76 d8 0a cd 4d a7 01 00 01 00 cc a8 ...v...M....... ssl_tls.c:3426: |4| 0030: cc a9 cc aa c0 2c c0 30 00 9f c0 ad c0 9f c0 24 .....,.0.......$ ssl_tls.c:3426: |4| 0040: c0 28 00 6b c0 0a c0 14 00 39 c0 af c0 a3 c0 87 .(.k.....9...... ssl_tls.c:3426: |4| 0050: c0 8b c0 7d c0 73 c0 77 00 c4 00 88 c0 2b c0 2f ...}.s.w.....+./ ssl_tls.c:3426: |4| 0060: 00 9e c0 ac c0 9e c0 23 c0 27 00 67 c0 09 c0 13 .......#.'.g.... ssl_tls.c:3426: |4| 0070: 00 33 c0 ae c0 a2 c0 86 c0 8a c0 7c c0 72 c0 76 .3.........|.r.v ssl_tls.c:3426: |4| 0080: 00 be 00 45 cc ac cc ad 00 ab c0 a7 c0 38 00 b3 ...E.........8.. ssl_tls.c:3426: |4| 0090: c0 36 00 91 c0 91 c0 9b c0 97 c0 ab 00 aa c0 a6 .6.............. ssl_tls.c:3426: |4| 00a0: c0 37 00 b2 c0 35 00 90 c0 90 c0 96 c0 9a c0 aa .7...5.......... ssl_tls.c:3426: |4| 00b0: 00 9d c0 9d 00 3d 00 35 c0 32 c0 2a c0 0f c0 2e .....=.5.2.*.... ssl_tls.c:3426: |4| 00c0: c0 26 c0 05 c0 a1 c0 7b 00 c0 00 84 c0 8d c0 79 .&.....{.......y ssl_tls.c:3426: |4| 00d0: c0 89 c0 75 00 9c c0 9c 00 3c 00 2f c0 31 c0 29 ...u.....<./.1.) ssl_tls.c:3426: |4| 00e0: c0 0e c0 2d c0 25 c0 04 c0 a0 c0 7a 00 ba 00 41 ...-.%.....z...A ssl_tls.c:3426: |4| 00f0: c0 8c c0 78 c0 88 c0 74 cc ae 00 ad 00 b7 00 95 ...x...t........ ssl_tls.c:3426: |4| 0100: c0 93 c0 99 00 ac 00 b6 00 94 c0 92 c0 98 cc ab ................ ssl_tls.c:3426: |4| 0110: 00 a9 c0 a5 00 af 00 8d c0 8f c0 95 c0 a9 00 a8 ................ ssl_tls.c:3426: |4| 0120: c0 a4 00 ae 00 8c c0 8e c0 94 c0 a8 00 ff 01 00 ................ ssl_tls.c:3426: |4| 0130: 00 95 00 00 00 34 00 32 00 00 2f 61 32 67 37 74 .....4.2../a2g7t ssl_tls.c:3426: |4| 0140: 77 6d 71 6f 37 68 67 38 32 2d 61 74 73 2e 69 6f wmqo7hg82-ats.io ssl_tls.c:3426: |4| 0150: 74 2e 61 70 2d 73 6f 75 74 68 2d 31 2e 61 6d 61 t.ap-south-1.ama ssl_tls.c:3426: |4| 0160: 7a 6f 6e 61 77 73 2e 63 6f 6d 00 0d 00 16 00 14 zonaws.com...... ssl_tls.c:3426: |4| 0170: 06 03 06 01 05 03 05 01 04 03 04 01 03 03 03 01 ................ ssl_tls.c:3426: |4| 0180: 02 03 02 01 00 0a 00 18 00 16 00 19 00 1c 00 18 ................ ssl_tls.c:3426: |4| 0190: 00 1b 00 17 00 16 00 1a 00 15 00 14 00 13 00 12 ................ ssl_tls.c:3426: |4| 01a0: 00 0b 00 02 01 00 00 16 00 00 00 17 00 00 00 10 ................ ssl_tls.c:3426: |4| 01b0: 00 11 00 0f 0e 78 2d 61 6d 7a 6e 2d 6d 71 74 74 .....x-amzn-mqtt ssl_tls.c:3426: |4| 01c0: 2d 63 61 00 23 00 00 -ca.#.. ssl_tls.c:2755: |2| => flush output ssl_tls.c:2774: |2| message length: 455, out_left: 455 ssl_tls.c:2779: |2| ssl->f_send() returned 455 (-0xfffffe39) ssl_tls.c:2807: |2| <= flush output ssl_tls.c:3476: |2| <= write record ssl_tls.c:3320: |2| <= write handshake message ssl_cli.c:1106: |2| <= write client hello ssl_cli.c:3510: |2| client state: 2 ssl_tls.c:2755: |2| => flush output ssl_tls.c:2767: |2| <= flush output ssl_cli.c:1499: |2| => parse server hello ssl_tls.c:4311: |2| => read record ssl_tls.c:2536: |2| => fetch input ssl_tls.c:2697: |2| in_left: 0, nb_want: 5 ssl_tls.c:2721: |2| in_left: 0, nb_want: 5 ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned -80 (-0x0050) ssl_tls.c:4973: |1| mbedtls_ssl_fetch_input() returned -80 (-0x0050) ssl_tls.c:4344: |1| ssl_get_next_record() returned -80 (-0x0050) ssl_cli.c:1506: |1| mbedtls_ssl_read_record() returned -80 (-0x0050) ssl_tls.c:8094: |2| <= handshake ERROR: iot_tls_connect L#252 failed ! mbedtls_ssl_handshake returned -0x50

ssl_tls.c:8725: |2| => write close notify ssl_tls.c:8741: |2| <= write close notify ssl_tls.c:8934: |2| => free ssl_tls.c:8999: |2| <= free ERROR: main L#190 Error(-4) connecting to a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com:443

Somehow handshake is not going fine and tried so many configuration changes but no luck ...

Please help me in resolving this issue.

Srinivas.

[aggarg]

It seems that you are getting "Connection reset by peer" error and the server is rejecting the connection. It is a bit confusing as you mention that you are able to run the exact same code on a different machine. Would you please get the logs from that working machine too? Please make sure to copy the exact same code and creds.

Also, would you please try increasing IOT_SSL_READ_TIMEOUT here (I am not much hopeful about this as the error is ECONNRESET but just to try): https://github.com/aws/aws-iot-device-sdk-embedded-C/blob/master/platform/linux/mbedtls/network_mbedtls_wrapper.c#L32

Thanks.

[shrinivasragolu]

Hi aggarg,

I have tried the same source code and credentials on Ubuntu 18.04 and Raspberry Pi4 and see below output after enabling debug logs. The only difference in source code from above two and Embedded hardware is _IOT_SSL_READTIMEOUT(increased to 1000 as you suggested)

In my Embedded Hardware(STM32MP157x-EV1) I configured network using Ethernet cable with static ip with below steps /sbin/ifconfig eth1 10.10.2.35 netmask 255.255.255.0 up /sbin/route add default gw 10.10.2.1 echo "nameserver 1.1.1.1" > /etc/resolv.conf I could ping any ip address or URLs. Let me know anything additionally add to this configuration

Ubuntu 18.04/Raspberry Pi4 Log

https://pastebin.com/BTqjeb0m

I have increased IOT_SSL_READ_TIMEOUT to 10000 from 10 and log below

STM32MP157x-EV1 Log

root@stm32mp1:/usr/bin/aws# ./subscribe_publish_sample

AWS IoT SDK Version 3.0.1-

DEBUG: main L#159 rootCA /usr/bin/aws/../../../certs/AmazonRootCA1.pem DEBUG: main L#160 clientCRT /usr/bin/aws/../../../certs/774a17950a-certificate.pem.crt DEBUG: main L#161 clientKey /usr/bin/aws/../../../certs/774a17950a-private.pem.key Connecting... DEBUG: iot_tls_connect L#151 . Seeding the random number generator... DEBUG: iot_tls_connect L#159 . Loading the CA root certificate ... DEBUG: iot_tls_connect L#165 ok (0 skipped)

DEBUG: iot_tls_connect L#167 . Loading the client cert. and key... DEBUG: iot_tls_connect L#180 ok

DEBUG: iot_tls_connect L#182 . Connecting to a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com/443... DEBUG: iot_tls_connect L#201 ok

DEBUG: iot_tls_connect L#203 . Setting up the SSL/TLS structure... DEBUG: iot_tls_connect L#244

SSL state connect : 0 DEBUG: iot_tls_connect L#247 ok

DEBUG: iot_tls_connect L#249

SSL state connect : 0 DEBUG: iot_tls_connect L#250 . Performing the SSL/TLS handshake... ssl_tls.c:8084: |2| => handshake ssl_cli.c:3510: |2| client state: 0 ssl_tls.c:2755: |2| => flush output ssl_tls.c:2767: |2| <= flush output ssl_cli.c:3510: |2| client state: 1 ssl_tls.c:2755: |2| => flush output ssl_tls.c:2767: |2| <= flush output ssl_cli.c:0774: |2| => write client hello ssl_cli.c:0812: |3| client hello, max version: [3:3] ssl_cli.c:0703: |3| client hello, current time: 1592850072 ssl_cli.c:0821: |3| dumping 'client hello, random bytes' (32 bytes) ssl_cli.c:0821: |3| 0000: 5e f0 f6 98 29 fa 68 93 fa 73 1e 9c 47 45 ed 0e ^...).h..s..GE.. ssl_cli.c:0821: |3| 0010: d8 25 ab 20 a4 d2 54 06 21 8c e9 42 e4 54 a1 f8 .%. ..T.!..B.T.. ssl_cli.c:0874: |3| client hello, session id len.: 0 ssl_cli.c:0875: |3| dumping 'client hello, session id' (0 bytes) ssl_cli.c:0922: |3| client hello, add ciphersuite: cca8 ssl_cli.c:0922: |3| client hello, add ciphersuite: cca9 ssl_cli.c:0922: |3| client hello, add ciphersuite: ccaa ssl_cli.c:0922: |3| client hello, add ciphersuite: c02c ssl_cli.c:0922: |3| client hello, add ciphersuite: c030 ssl_cli.c:0922: |3| client hello, add ciphersuite: 009f ssl_cli.c:0922: |3| client hello, add ciphersuite: c0ad ssl_cli.c:0922: |3| client hello, add ciphersuite: c09f ssl_cli.c:0922: |3| client hello, add ciphersuite: c024 ssl_cli.c:0922: |3| client hello, add ciphersuite: c028 ssl_cli.c:0922: |3| client hello, add ciphersuite: 006b ssl_cli.c:0922: |3| client hello, add ciphersuite: c00a ssl_cli.c:0922: |3| client hello, add ciphersuite: c014 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0039 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0af ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a3 ssl_cli.c:0922: |3| client hello, add ciphersuite: c087 ssl_cli.c:0922: |3| client hello, add ciphersuite: c08b ssl_cli.c:0922: |3| client hello, add ciphersuite: c07d ssl_cli.c:0922: |3| client hello, add ciphersuite: c073 ssl_cli.c:0922: |3| client hello, add ciphersuite: c077 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00c4 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0088 ssl_cli.c:0922: |3| client hello, add ciphersuite: c02b ssl_cli.c:0922: |3| client hello, add ciphersuite: c02f ssl_cli.c:0922: |3| client hello, add ciphersuite: 009e ssl_cli.c:0922: |3| client hello, add ciphersuite: c0ac ssl_cli.c:0922: |3| client hello, add ciphersuite: c09e ssl_cli.c:0922: |3| client hello, add ciphersuite: c023 ssl_cli.c:0922: |3| client hello, add ciphersuite: c027 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0067 ssl_cli.c:0922: |3| client hello, add ciphersuite: c009 ssl_cli.c:0922: |3| client hello, add ciphersuite: c013 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0033 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0ae ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a2 ssl_cli.c:0922: |3| client hello, add ciphersuite: c086 ssl_cli.c:0922: |3| client hello, add ciphersuite: c08a ssl_cli.c:0922: |3| client hello, add ciphersuite: c07c ssl_cli.c:0922: |3| client hello, add ciphersuite: c072 ssl_cli.c:0922: |3| client hello, add ciphersuite: c076 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00be ssl_cli.c:0922: |3| client hello, add ciphersuite: 0045 ssl_cli.c:0922: |3| client hello, add ciphersuite: ccac ssl_cli.c:0922: |3| client hello, add ciphersuite: ccad ssl_cli.c:0922: |3| client hello, add ciphersuite: 00ab ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a7 ssl_cli.c:0922: |3| client hello, add ciphersuite: c038 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00b3 ssl_cli.c:0922: |3| client hello, add ciphersuite: c036 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0091 ssl_cli.c:0922: |3| client hello, add ciphersuite: c091 ssl_cli.c:0922: |3| client hello, add ciphersuite: c09b ssl_cli.c:0922: |3| client hello, add ciphersuite: c097 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0ab ssl_cli.c:0922: |3| client hello, add ciphersuite: 00aa ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a6 ssl_cli.c:0922: |3| client hello, add ciphersuite: c037 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00b2 ssl_cli.c:0922: |3| client hello, add ciphersuite: c035 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0090 ssl_cli.c:0922: |3| client hello, add ciphersuite: c090 ssl_cli.c:0922: |3| client hello, add ciphersuite: c096 ssl_cli.c:0922: |3| client hello, add ciphersuite: c09a ssl_cli.c:0922: |3| client hello, add ciphersuite: c0aa ssl_cli.c:0922: |3| client hello, add ciphersuite: 009d ssl_cli.c:0922: |3| client hello, add ciphersuite: c09d ssl_cli.c:0922: |3| client hello, add ciphersuite: 003d ssl_cli.c:0922: |3| client hello, add ciphersuite: 0035 ssl_cli.c:0922: |3| client hello, add ciphersuite: c032 ssl_cli.c:0922: |3| client hello, add ciphersuite: c02a ssl_cli.c:0922: |3| client hello, add ciphersuite: c00f ssl_cli.c:0922: |3| client hello, add ciphersuite: c02e ssl_cli.c:0922: |3| client hello, add ciphersuite: c026 ssl_cli.c:0922: |3| client hello, add ciphersuite: c005 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a1 ssl_cli.c:0922: |3| client hello, add ciphersuite: c07b ssl_cli.c:0922: |3| client hello, add ciphersuite: 00c0 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0084 ssl_cli.c:0922: |3| client hello, add ciphersuite: c08d ssl_cli.c:0922: |3| client hello, add ciphersuite: c079 ssl_cli.c:0922: |3| client hello, add ciphersuite: c089 ssl_cli.c:0922: |3| client hello, add ciphersuite: c075 ssl_cli.c:0922: |3| client hello, add ciphersuite: 009c ssl_cli.c:0922: |3| client hello, add ciphersuite: c09c ssl_cli.c:0922: |3| client hello, add ciphersuite: 003c ssl_cli.c:0922: |3| client hello, add ciphersuite: 002f ssl_cli.c:0922: |3| client hello, add ciphersuite: c031 ssl_cli.c:0922: |3| client hello, add ciphersuite: c029 ssl_cli.c:0922: |3| client hello, add ciphersuite: c00e ssl_cli.c:0922: |3| client hello, add ciphersuite: c02d ssl_cli.c:0922: |3| client hello, add ciphersuite: c025 ssl_cli.c:0922: |3| client hello, add ciphersuite: c004 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a0 ssl_cli.c:0922: |3| client hello, add ciphersuite: c07a ssl_cli.c:0922: |3| client hello, add ciphersuite: 00ba ssl_cli.c:0922: |3| client hello, add ciphersuite: 0041 ssl_cli.c:0922: |3| client hello, add ciphersuite: c08c ssl_cli.c:0922: |3| client hello, add ciphersuite: c078 ssl_cli.c:0922: |3| client hello, add ciphersuite: c088 ssl_cli.c:0922: |3| client hello, add ciphersuite: c074 ssl_cli.c:0922: |3| client hello, add ciphersuite: ccae ssl_cli.c:0922: |3| client hello, add ciphersuite: 00ad ssl_cli.c:0922: |3| client hello, add ciphersuite: 00b7 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0095 ssl_cli.c:0922: |3| client hello, add ciphersuite: c093 ssl_cli.c:0922: |3| client hello, add ciphersuite: c099 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00ac ssl_cli.c:0922: |3| client hello, add ciphersuite: 00b6 ssl_cli.c:0922: |3| client hello, add ciphersuite: 0094 ssl_cli.c:0922: |3| client hello, add ciphersuite: c092 ssl_cli.c:0922: |3| client hello, add ciphersuite: c098 ssl_cli.c:0922: |3| client hello, add ciphersuite: ccab ssl_cli.c:0922: |3| client hello, add ciphersuite: 00a9 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a5 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00af ssl_cli.c:0922: |3| client hello, add ciphersuite: 008d ssl_cli.c:0922: |3| client hello, add ciphersuite: c08f ssl_cli.c:0922: |3| client hello, add ciphersuite: c095 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a9 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00a8 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a4 ssl_cli.c:0922: |3| client hello, add ciphersuite: 00ae ssl_cli.c:0922: |3| client hello, add ciphersuite: 008c ssl_cli.c:0922: |3| client hello, add ciphersuite: c08e ssl_cli.c:0922: |3| client hello, add ciphersuite: c094 ssl_cli.c:0922: |3| client hello, add ciphersuite: c0a8 ssl_cli.c:0934: |3| client hello, got 127 ciphersuites (excluding SCSVs) ssl_cli.c:0943: |3| adding EMPTY_RENEGOTIATION_INFO_SCSV ssl_cli.c:0992: |3| client hello, compress len.: 1 ssl_cli.c:0994: |3| client hello, compress alg.: 0 ssl_cli.c:0069: |3| client hello, adding server name extension: a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com ssl_cli.c:0186: |3| client hello, adding signature_algorithms extension ssl_cli.c:0271: |3| client hello, adding supported_elliptic_curves extension ssl_cli.c:0336: |3| client hello, adding supported_point_formats extension ssl_cli.c:0518: |3| client hello, adding encrypt_then_mac extension ssl_cli.c:0552: |3| client hello, adding extended_master_secret extension ssl_cli.c:0630: |3| client hello, adding alpn extension ssl_cli.c:0585: |3| client hello, adding session ticket extension ssl_cli.c:1071: |3| client hello, total extension length: 149 ssl_tls.c:3184: |2| => write handshake message ssl_tls.c:3343: |2| => write record ssl_tls.c:3423: |3| output record: msgtype = 22, version = [3:1], msglen = 450 ssl_tls.c:3426: |4| dumping 'output record sent to network' (455 bytes) ssl_tls.c:3426: |4| 0000: 16 03 01 01 c2 01 00 01 be 03 03 5e f0 f6 98 29 ...........^...) ssl_tls.c:3426: |4| 0010: fa 68 93 fa 73 1e 9c 47 45 ed 0e d8 25 ab 20 a4 .h..s..GE...%. . ssl_tls.c:3426: |4| 0020: d2 54 06 21 8c e9 42 e4 54 a1 f8 00 01 00 cc a8 .T.!..B.T....... ssl_tls.c:3426: |4| 0030: cc a9 cc aa c0 2c c0 30 00 9f c0 ad c0 9f c0 24 .....,.0.......$ ssl_tls.c:3426: |4| 0040: c0 28 00 6b c0 0a c0 14 00 39 c0 af c0 a3 c0 87 .(.k.....9...... ssl_tls.c:3426: |4| 0050: c0 8b c0 7d c0 73 c0 77 00 c4 00 88 c0 2b c0 2f ...}.s.w.....+./ ssl_tls.c:3426: |4| 0060: 00 9e c0 ac c0 9e c0 23 c0 27 00 67 c0 09 c0 13 .......#.'.g.... ssl_tls.c:3426: |4| 0070: 00 33 c0 ae c0 a2 c0 86 c0 8a c0 7c c0 72 c0 76 .3.........|.r.v ssl_tls.c:3426: |4| 0080: 00 be 00 45 cc ac cc ad 00 ab c0 a7 c0 38 00 b3 ...E.........8.. ssl_tls.c:3426: |4| 0090: c0 36 00 91 c0 91 c0 9b c0 97 c0 ab 00 aa c0 a6 .6.............. ssl_tls.c:3426: |4| 00a0: c0 37 00 b2 c0 35 00 90 c0 90 c0 96 c0 9a c0 aa .7...5.......... ssl_tls.c:3426: |4| 00b0: 00 9d c0 9d 00 3d 00 35 c0 32 c0 2a c0 0f c0 2e .....=.5.2.*.... ssl_tls.c:3426: |4| 00c0: c0 26 c0 05 c0 a1 c0 7b 00 c0 00 84 c0 8d c0 79 .&.....{.......y ssl_tls.c:3426: |4| 00d0: c0 89 c0 75 00 9c c0 9c 00 3c 00 2f c0 31 c0 29 ...u.....<./.1.) ssl_tls.c:3426: |4| 00e0: c0 0e c0 2d c0 25 c0 04 c0 a0 c0 7a 00 ba 00 41 ...-.%.....z...A ssl_tls.c:3426: |4| 00f0: c0 8c c0 78 c0 88 c0 74 cc ae 00 ad 00 b7 00 95 ...x...t........ ssl_tls.c:3426: |4| 0100: c0 93 c0 99 00 ac 00 b6 00 94 c0 92 c0 98 cc ab ................ ssl_tls.c:3426: |4| 0110: 00 a9 c0 a5 00 af 00 8d c0 8f c0 95 c0 a9 00 a8 ................ ssl_tls.c:3426: |4| 0120: c0 a4 00 ae 00 8c c0 8e c0 94 c0 a8 00 ff 01 00 ................ ssl_tls.c:3426: |4| 0130: 00 95 00 00 00 34 00 32 00 00 2f 61 32 67 37 74 .....4.2../a2g7t ssl_tls.c:3426: |4| 0140: 77 6d 71 6f 37 68 67 38 32 2d 61 74 73 2e 69 6f wmqo7hg82-ats.io ssl_tls.c:3426: |4| 0150: 74 2e 61 70 2d 73 6f 75 74 68 2d 31 2e 61 6d 61 t.ap-south-1.ama ssl_tls.c:3426: |4| 0160: 7a 6f 6e 61 77 73 2e 63 6f 6d 00 0d 00 16 00 14 zonaws.com...... ssl_tls.c:3426: |4| 0170: 06 03 06 01 05 03 05 01 04 03 04 01 03 03 03 01 ................ ssl_tls.c:3426: |4| 0180: 02 03 02 01 00 0a 00 18 00 16 00 19 00 1c 00 18 ................ ssl_tls.c:3426: |4| 0190: 00 1b 00 17 00 16 00 1a 00 15 00 14 00 13 00 12 ................ ssl_tls.c:3426: |4| 01a0: 00 0b 00 02 01 00 00 16 00 00 00 17 00 00 00 10 ................ ssl_tls.c:3426: |4| 01b0: 00 11 00 0f 0e 78 2d 61 6d 7a 6e 2d 6d 71 74 74 .....x-amzn-mqtt ssl_tls.c:3426: |4| 01c0: 2d 63 61 00 23 00 00 -ca.#.. ssl_tls.c:2755: |2| => flush output ssl_tls.c:2774: |2| message length: 455, out_left: 455 ssl_tls.c:2779: |2| ssl->f_send() returned 455 (-0xfffffe39) ssl_tls.c:2807: |2| <= flush output ssl_tls.c:3476: |2| <= write record ssl_tls.c:3320: |2| <= write handshake message ssl_cli.c:1106: |2| <= write client hello ssl_cli.c:3510: |2| client state: 2 ssl_tls.c:2755: |2| => flush output ssl_tls.c:2767: |2| <= flush output ssl_cli.c:1499: |2| => parse server hello ssl_tls.c:4311: |2| => read record ssl_tls.c:2536: |2| => fetch input ssl_tls.c:2697: |2| in_left: 0, nb_want: 5 ssl_tls.c:2721: |2| in_left: 0, nb_want: 5 ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned -80 (-0x0050) ssl_tls.c:4973: |1| mbedtls_ssl_fetch_input() returned -80 (-0x0050) ssl_tls.c:4344: |1| ssl_get_next_record() returned -80 (-0x0050) ssl_cli.c:1506: |1| mbedtls_ssl_read_record() returned -80 (-0x0050) ssl_tls.c:8094: |2| <= handshake ERROR: iot_tls_connect L#253 failed ! mbedtls_ssl_handshake returned -0x50

ssl_tls.c:8725: |2| => write close notify ssl_tls.c:8741: |2| <= write close notify ssl_tls.c:8934: |2| => free ssl_tls.c:8999: |2| <= free ERROR: main L#190 Error(-4) connecting to a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com:443

I am pretty sure that server is rejecting the connection but not able to find the reason.

Thanks in advance, Srinivas.

[aggarg]

I saw both the logs and still it is unclear why the behavior is different on the two platforms. We would need to get packet capture to determine what is going on. Please collect packet capture on both the platforms using wireshark and share.

Thanks.

[shrinivasragolu]

Hi Gaurav, As you suggested, I have collected wireshark logs for both success(Ubutnu) and Failure(STM32MP157x-EV1) logs. Please find the attachments. failure-tshark-log.txt success-tshark-Ubuntu.txt

[aggarg]

Thanks for the logs. I see that in the failure scenario, you get a TCP reset from the AWS IoT:

   59 2.124065307   10.10.2.35 → 13.232.234.97 TLSv1 521 Client Hello
   60 2.125053268 13.232.234.97 → 10.10.2.35   TCP 60 443 → 34686 [RST, ACK] Seq=1 Ack=456 Win=58624 Len=0

While in the success scenario, you get a successful ACK:

3125 4.777437410   10.10.0.39 → 13.235.32.24 TLSv1 269 Client Hello
 3156 4.801521695 13.235.32.24 → 10.10.0.39   TCP 66 443 → 51056 [ACK] Seq=1 Ack=204 Win=28160 Len=0 TSval=1903857644 TSecr=1705764575

Is there some firewall in between preventing this connection? Are these two clients (success and failure) on the same network?

It seems that you filtered some fields while getting capture output using tshark. Can you get complete pcap capture and share the pcap files (I think it is default in tshark)?

Thanks.

[shrinivasragolu]

Hip hip hooray. I could fix the issue. thanks a lot man.

Its a Firewall rules issue

In Ubuntu 18.04 case, I am using IP of 10.10.0.39 In the Failure case, I am using static IP of 10.10.2.35, which is on another subnet, which does not have proper firewall rules. Now after changing the IP address to the same Ubuntu subnet with IP 10.10.0.99, it is working like charm.....

Thank you again and again Gaurav.. I learnt so many concepts in this journey. Meet you again..

Thanks, Srinivas.

[aggarg]

Glad that it worked for you.

Thanks.