search

eclipse / paho.mqtt.c

An Eclipse Paho C client library for MQTT for Windows, Linux and MacOS. API documentation: https://eclipse.github.io/paho.mqtt.c/
https://eclipse.org/paho
Other
1.95k stars 1.09k forks source link

Samples: connect with TLS if TLS options used #797

Open xhpohanka opened 4 years ago

xhpohanka commented 4 years ago

I'm not able to connect to AWS iot broker using paho c library. I was able to connect using python paho and mosquitto, but using c/c++ everything is failing. I think that issue is somewhere in SSL, but cannot find the exact solution.

Example using mosquitto:

$ mosquitto_pub -h xxxxxxxxxxx-ats.iot.eu-central-1.amazonaws.com -p 8883 -q 0 -m "xxx" -t "test/ddd" --cert deviceCert.pem --key deviceCert.key -i test --capath /etc/ssl/certs -d
Client test sending CONNECT
Client test received CONNACK (0)
Client test sending PUBLISH (d0, q0, r0, m1, 'test/ddd', ... (3 bytes))
Client test sending DISCONNECT

The same using paho_cs_pub sample application:

$ paho_cs_pub -h xxxxxxxxxxx-ats.iot.eu-central-1.amazonaws.com -p 8883 -q 0 -m "xxx" -t "test/ddd" --cert deviceCert.pem --key deviceCert.key -i test --capath /etc/ssl/certs --trace protocol
Trace : 3, =========================================================
Trace : 3,                    Trace Output
Trace : 3, Product name: Eclipse Paho Synchronous MQTT C Client Library
Trace : 3, Version: 1.3.1
Trace : 3, Build level: Po led 13 13:37:19 CET 2020
Trace : 3, OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
Trace : 3, OpenSSL flags: compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -Wa,--noexecstack -D_FORTIFY_SOURCE=2 -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_N
Trace : 3, OpenSSL build timestamp: built on: Wed Nov 13 16:09:29 2019 UTC
Trace : 3, OpenSSL platform: platform: linux-x86_64
Trace : 3, OpenSSL directory: OPENSSLDIR: "/etc/ssl"
Trace : 3, /proc/version: Linux version 5.4.10-arch1-1 (linux@archlinux) (gcc version 9.2.0 (GCC)) #1 SMP PREEMPT Thu, 09 Jan 2020 10:14:29 +0000

Trace : 3, =========================================================
Trace : 4, 20200116 105156.463 3 test -> CONNECT version 4 clean: 1 (0)
Trace : 5, 20200116 105156.492 waitfor unexpectedly is NULL for client test, packet_type 2, timeout 28846
Trace : 4, 20200116 105156.514 4 test -> CONNECT version 3 clean: 1 (0)
Trace : 5, 20200116 105156.535 waitfor unexpectedly is NULL for client test, packet_type 2, timeout 28803
Connect failed return code: Failure

I also think that I should be able to connect without providing full device certificate chain, just using device certificate itself, but it is probably not truth with mosquitto. I'm not sure about paho.c. What is the status here, please?

Update: I tested it on both current master and v1.3.1 with same result

xhpohanka commented 4 years ago

Ok, probably my fault, surprisingly it works using -c option like

$ paho_cs_pub -c ssl://xxxxxxxxxxx-ats.iot.eu-central-1.amazonaws.com:8883 -q 0 -m "xxx" -t "test/ddd" --cert deviceCert.pem --key deviceCert.key -i test  --trace protocol

Now I just need to find out how to do that in same way using C api.

fpagliughi commented 4 years ago

Ah, the beauty of open source... just look at the code. https://github.com/eclipse/paho.mqtt.c/blob/fbf9828200f46e212189d98eaedf8e11281e409a/src/samples/paho_cs_pub.c#L84-L98

xhpohanka commented 4 years ago

I'm still a bit lost :(

this is test on my PC (working fine)

$ paho_cs_pub -c ssl://xxxxxxxxxxx-ats.iot.eu-central-1.amazonaws.com:8883 -q 0 -m "xxx" -t "test/ddd" --cert ../7de4ae97ae-certificate.pem.crt --key ../7de4ae97ae-private.pem.key -i test  --trace protocol
Trace : 3, =========================================================
Trace : 3,                    Trace Output
Trace : 3, Product name: Eclipse Paho Synchronous MQTT C Client Library
Trace : 3, Version: 1.3.1
Trace : 3, Build level: Po led 13 13:37:19 CET 2020
Trace : 3, OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
Trace : 3, OpenSSL flags: compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -Wa,--noexecstack -D_FORTIFY_SOURCE=2 -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_N
Trace : 3, OpenSSL build timestamp: built on: Wed Nov 13 16:09:29 2019 UTC
Trace : 3, OpenSSL platform: platform: linux-x86_64
Trace : 3, OpenSSL directory: OPENSSLDIR: "/etc/ssl"
Trace : 3, /proc/version: Linux version 5.4.10-arch1-1 (linux@archlinux) (gcc version 9.2.0 (GCC)) #1 SMP PREEMPT Thu, 09 Jan 2020 10:14:29 +0000

Trace : 3, =========================================================
Trace : 4, 20200116 150508.896 SSL cipher available: 0:TLS_AES_256_GCM_SHA384
Trace : 4, 20200116 150508.896 SSL cipher available: 1:TLS_CHACHA20_POLY1305_SHA256
Trace : 4, 20200116 150508.896 SSL cipher available: 2:TLS_AES_128_GCM_SHA256
Trace : 4, 20200116 150508.896 SSL cipher available: 3:ECDHE-ECDSA-AES256-GCM-SHA384
Trace : 4, 20200116 150508.912 SSL cipher available: 4:ECDHE-RSA-AES256-GCM-SHA384
Trace : 4, 20200116 150508.912 SSL cipher available: 5:DHE-RSA-AES256-GCM-SHA384
Trace : 4, 20200116 150508.912 SSL cipher available: 6:ECDHE-ECDSA-CHACHA20-POLY1305
Trace : 4, 20200116 150508.912 SSL cipher available: 7:ECDHE-RSA-CHACHA20-POLY1305
Trace : 4, 20200116 150508.912 SSL cipher available: 8:DHE-RSA-CHACHA20-POLY1305
Trace : 4, 20200116 150508.912 SSL cipher available: 9:ECDHE-ECDSA-AES128-GCM-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 10:ECDHE-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 11:DHE-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 12:ECDHE-ECDSA-AES256-SHA384
Trace : 4, 20200116 150508.912 SSL cipher available: 13:ECDHE-RSA-AES256-SHA384
Trace : 4, 20200116 150508.912 SSL cipher available: 14:DHE-RSA-AES256-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 15:ECDHE-ECDSA-AES128-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 16:ECDHE-RSA-AES128-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 17:DHE-RSA-AES128-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 18:ECDHE-ECDSA-AES256-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 19:ECDHE-RSA-AES256-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 20:DHE-RSA-AES256-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 21:ECDHE-ECDSA-AES128-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 22:ECDHE-RSA-AES128-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 23:DHE-RSA-AES128-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 24:RSA-PSK-AES256-GCM-SHA384
Trace : 4, 20200116 150508.912 SSL cipher available: 25:DHE-PSK-AES256-GCM-SHA384
Trace : 4, 20200116 150508.912 SSL cipher available: 26:RSA-PSK-CHACHA20-POLY1305
Trace : 4, 20200116 150508.912 SSL cipher available: 27:DHE-PSK-CHACHA20-POLY1305
Trace : 4, 20200116 150508.912 SSL cipher available: 28:ECDHE-PSK-CHACHA20-POLY1305
Trace : 4, 20200116 150508.912 SSL cipher available: 29:AES256-GCM-SHA384
Trace : 4, 20200116 150508.912 SSL cipher available: 30:PSK-AES256-GCM-SHA384
Trace : 4, 20200116 150508.912 SSL cipher available: 31:PSK-CHACHA20-POLY1305
Trace : 4, 20200116 150508.912 SSL cipher available: 32:RSA-PSK-AES128-GCM-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 33:DHE-PSK-AES128-GCM-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 34:AES128-GCM-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 35:PSK-AES128-GCM-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 36:AES256-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 37:AES128-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 38:ECDHE-PSK-AES256-CBC-SHA384
Trace : 4, 20200116 150508.912 SSL cipher available: 39:ECDHE-PSK-AES256-CBC-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 40:SRP-RSA-AES-256-CBC-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 41:SRP-AES-256-CBC-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 42:RSA-PSK-AES256-CBC-SHA384
Trace : 4, 20200116 150508.912 SSL cipher available: 43:DHE-PSK-AES256-CBC-SHA384
Trace : 4, 20200116 150508.912 SSL cipher available: 44:RSA-PSK-AES256-CBC-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 45:DHE-PSK-AES256-CBC-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 46:AES256-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 47:PSK-AES256-CBC-SHA384
Trace : 4, 20200116 150508.912 SSL cipher available: 48:PSK-AES256-CBC-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 49:ECDHE-PSK-AES128-CBC-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 50:ECDHE-PSK-AES128-CBC-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 51:SRP-RSA-AES-128-CBC-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 52:SRP-AES-128-CBC-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 53:RSA-PSK-AES128-CBC-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 54:DHE-PSK-AES128-CBC-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 55:RSA-PSK-AES128-CBC-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 56:DHE-PSK-AES128-CBC-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 57:AES128-SHA
Trace : 4, 20200116 150508.912 SSL cipher available: 58:PSK-AES128-CBC-SHA256
Trace : 4, 20200116 150508.912 SSL cipher available: 59:PSK-AES128-CBC-SHA
Trace : 4, 20200116 150508.912 SSL handshake started write:unknown:unknown
Trace : 4, 20200116 150508.912 SSL state connect:before SSL initialization:(NONE)
Trace : 4, 20200116 150508.912 SSL state connect:SSLv3/TLS write client hello:(NONE)
Trace : 4, 20200116 150508.912 SSL connect:SSLv3/TLS write client hello
Trace : 4, 20200116 150508.927 SSL connect:SSLv3/TLS write client hello
Trace : 4, 20200116 150508.928 SSL connect:SSLv3/TLS write client hello
Trace : 4, 20200116 150508.928 SSL connect:SSLv3/TLS write client hello
Trace : 4, 20200116 150508.928 SSL state connect:SSLv3/TLS write client hello:(NONE)
Trace : 4, 20200116 150508.928 SSL state connect:SSLv3/TLS read server hello:(NONE)
Trace : 4, 20200116 150508.928 SSL state connect:SSLv3/TLS read server certificate:(NONE)
Trace : 4, 20200116 150508.928 SSL state connect:SSLv3/TLS read server key exchange:(NONE)
Trace : 4, 20200116 150508.928 SSL state connect:SSLv3/TLS read server certificate request:(NONE)
Trace : 4, 20200116 150508.928 SSL state connect:SSLv3/TLS read server done:(NONE)
Trace : 4, 20200116 150508.928 SSL state connect:SSLv3/TLS write client certificate:(NONE)
Trace : 4, 20200116 150508.928 SSL state connect:SSLv3/TLS write client key exchange:(NONE)
Trace : 4, 20200116 150508.928 SSL state connect:SSLv3/TLS write certificate verify:(NONE)
Trace : 4, 20200116 150508.930 SSL state connect:SSLv3/TLS write change cipher spec:ECDHE-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 150508.930 SSL state connect:SSLv3/TLS write finished:ECDHE-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 150508.930 SSL connect:SSLv3/TLS write finished
Trace : 4, 20200116 150508.944 SSL state connect:SSLv3/TLS write finished:ECDHE-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 150508.944 SSL state connect:SSLv3/TLS read change cipher spec:ECDHE-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 150508.944 SSL state connect:SSLv3/TLS read finished:ECDHE-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 150508.944 SSL handshake done write:unknown:unknown
Trace : 4, 20200116 150508.944 SSL certificate verification: X509_V_OK
Trace : 4, 20200116 150508.944 SSL connect:SSL negotiation finished successfully
Trace : 4, 20200116 150508.944 peername from X509_check_host is *.iot.eu-central-1.amazonaws.com
Trace : 4, 20200116 150508.944 3 test -> CONNECT version 4 clean: 1 (0)
Trace : 4, 20200116 150509.013 3 test <- CONNACK rc: 0
Trace : 4, 20200116 150509.014 3 test -> PUBLISH qos: 0 retained: 0 (0)
Trace : 4, 20200116 150509.014 3 test -> DISCONNECT (0)
Trace : 4, 20200116 150509.014 SSL alert write:warning:close notify

This is the same test on my embedded box, which is now failing. Obvious difference is (significantly) older openssl, but is it really a problem? I'm suspicious about TLS version, but no sure how to force TLSv1.2 or check that it is really used. openssl s_client ... can connect to aws without complains.

paho_cs_pub -c ssl://xxxxxxxxxxx-ats.iot.eu-central-1.amazonaws.com:8883 -q 0 -m "xxx" -t "test/ddd" --cert 7de4ae97ae-certificate.pem.crt   --key 7de4ae97ae-private.pem.key  -i test  --trace protocol --insecure 
Trace : 3, =========================================================
Trace : 3,                    Trace Output
Trace : 3, Product name: Eclipse Paho Synchronous MQTT C Client Library
Trace : 3, Version: 1.3.1
Trace : 3, Build level: 2020-01-16T13:12:02Z
Trace : 3, OpenSSL version: OpenSSL 1.0.2e 3 Dec 2015
Trace : 3, OpenSSL flags: compiler: /home/honza/dev/hpd2/buildroot/output/host/usr/bin/arm-linux-gnueabihf-gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64  -Os  -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM
Trace : 3, OpenSSL build timestamp: built on: reproducible build, date unspecified
Trace : 3, OpenSSL platform: platform: linux-armv4
Trace : 3, OpenSSL directory: OPENSSLDIR: "/etc/ssl"
Trace : 3, /proc/version: Linux version 4.4.0-xilinx+ (honza@jules-w) (gcc version 7.1.0 (Arch Repository) ) #1 SMP PREEMPT Thu Aug 31 09:03:10 CEST 2017

Trace : 3, =========================================================
Trace : 4, 20200116 140420.767 SSL cipher available: 0:ECDHE-RSA-AES256-GCM-SHA384
Trace : 4, 20200116 140420.767 SSL cipher available: 1:ECDHE-ECDSA-AES256-GCM-SHA384
Trace : 4, 20200116 140420.767 SSL cipher available: 2:ECDHE-RSA-AES256-SHA384
Trace : 4, 20200116 140420.767 SSL cipher available: 3:ECDHE-ECDSA-AES256-SHA384
Trace : 4, 20200116 140420.780 SSL cipher available: 4:ECDHE-RSA-AES256-SHA
Trace : 4, 20200116 140420.780 SSL cipher available: 5:ECDHE-ECDSA-AES256-SHA
Trace : 4, 20200116 140420.780 SSL cipher available: 6:SRP-DSS-AES-256-CBC-SHA
Trace : 4, 20200116 140420.780 SSL cipher available: 7:SRP-RSA-AES-256-CBC-SHA
Trace : 4, 20200116 140420.780 SSL cipher available: 8:SRP-AES-256-CBC-SHA
Trace : 4, 20200116 140420.780 SSL cipher available: 9:DH-DSS-AES256-GCM-SHA384
Trace : 4, 20200116 140420.780 SSL cipher available: 10:DHE-DSS-AES256-GCM-SHA384
Trace : 4, 20200116 140420.780 SSL cipher available: 11:DH-RSA-AES256-GCM-SHA384
Trace : 4, 20200116 140420.780 SSL cipher available: 12:DHE-RSA-AES256-GCM-SHA384
Trace : 4, 20200116 140420.780 SSL cipher available: 13:DHE-RSA-AES256-SHA256
Trace : 4, 20200116 140420.780 SSL cipher available: 14:DHE-DSS-AES256-SHA256
Trace : 4, 20200116 140420.780 SSL cipher available: 15:DH-RSA-AES256-SHA256
Trace : 4, 20200116 140420.780 SSL cipher available: 16:DH-DSS-AES256-SHA256
Trace : 4, 20200116 140420.780 SSL cipher available: 17:DHE-RSA-AES256-SHA
Trace : 4, 20200116 140420.780 SSL cipher available: 18:DHE-DSS-AES256-SHA
Trace : 4, 20200116 140420.780 SSL cipher available: 19:DH-RSA-AES256-SHA
Trace : 4, 20200116 140420.780 SSL cipher available: 20:DH-DSS-AES256-SHA
Trace : 4, 20200116 140420.780 SSL cipher available: 21:DHE-RSA-CAMELLIA256-SHA
Trace : 4, 20200116 140420.780 SSL cipher available: 22:DHE-DSS-CAMELLIA256-SHA
Trace : 4, 20200116 140420.780 SSL cipher available: 23:DH-RSA-CAMELLIA256-SHA
Trace : 4, 20200116 140420.782 SSL cipher available: 24:DH-DSS-CAMELLIA256-SHA
Trace : 4, 20200116 140420.782 SSL cipher available: 25:ECDH-RSA-AES256-GCM-SHA384
Trace : 4, 20200116 140420.782 SSL cipher available: 26:ECDH-ECDSA-AES256-GCM-SHA384
Trace : 4, 20200116 140420.782 SSL cipher available: 27:ECDH-RSA-AES256-SHA384
Trace : 4, 20200116 140420.782 SSL cipher available: 28:ECDH-ECDSA-AES256-SHA384
Trace : 4, 20200116 140420.782 SSL cipher available: 29:ECDH-RSA-AES256-SHA
Trace : 4, 20200116 140420.782 SSL cipher available: 30:ECDH-ECDSA-AES256-SHA
Trace : 4, 20200116 140420.782 SSL cipher available: 31:AES256-GCM-SHA384
Trace : 4, 20200116 140420.782 SSL cipher available: 32:AES256-SHA256
Trace : 4, 20200116 140420.782 SSL cipher available: 33:AES256-SHA
Trace : 4, 20200116 140420.782 SSL cipher available: 34:CAMELLIA256-SHA
Trace : 4, 20200116 140420.782 SSL cipher available: 35:PSK-AES256-CBC-SHA
Trace : 4, 20200116 140420.782 SSL cipher available: 36:ECDHE-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 140420.782 SSL cipher available: 37:ECDHE-ECDSA-AES128-GCM-SHA256
Trace : 4, 20200116 140420.782 SSL cipher available: 38:ECDHE-RSA-AES128-SHA256
Trace : 4, 20200116 140420.782 SSL cipher available: 39:ECDHE-ECDSA-AES128-SHA256
Trace : 4, 20200116 140420.782 SSL cipher available: 40:ECDHE-RSA-AES128-SHA
Trace : 4, 20200116 140420.782 SSL cipher available: 41:ECDHE-ECDSA-AES128-SHA
Trace : 4, 20200116 140420.782 SSL cipher available: 42:SRP-DSS-AES-128-CBC-SHA
Trace : 4, 20200116 140420.782 SSL cipher available: 43:SRP-RSA-AES-128-CBC-SHA
Trace : 4, 20200116 140420.783 SSL cipher available: 44:SRP-AES-128-CBC-SHA
Trace : 4, 20200116 140420.783 SSL cipher available: 45:DH-DSS-AES128-GCM-SHA256
Trace : 4, 20200116 140420.783 SSL cipher available: 46:DHE-DSS-AES128-GCM-SHA256
Trace : 4, 20200116 140420.783 SSL cipher available: 47:DH-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 140420.783 SSL cipher available: 48:DHE-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 140420.783 SSL cipher available: 49:DHE-RSA-AES128-SHA256
Trace : 4, 20200116 140420.783 SSL cipher available: 50:DHE-DSS-AES128-SHA256
Trace : 4, 20200116 140420.783 SSL cipher available: 51:DH-RSA-AES128-SHA256
Trace : 4, 20200116 140420.783 SSL cipher available: 52:DH-DSS-AES128-SHA256
Trace : 4, 20200116 140420.783 SSL cipher available: 53:DHE-RSA-AES128-SHA
Trace : 4, 20200116 140420.783 SSL cipher available: 54:DHE-DSS-AES128-SHA
Trace : 4, 20200116 140420.783 SSL cipher available: 55:DH-RSA-AES128-SHA
Trace : 4, 20200116 140420.783 SSL cipher available: 56:DH-DSS-AES128-SHA
Trace : 4, 20200116 140420.783 SSL cipher available: 57:DHE-RSA-SEED-SHA
Trace : 4, 20200116 140420.783 SSL cipher available: 58:DHE-DSS-SEED-SHA
Trace : 4, 20200116 140420.783 SSL cipher available: 59:DH-RSA-SEED-SHA
Trace : 4, 20200116 140420.783 SSL cipher available: 60:DH-DSS-SEED-SHA
Trace : 4, 20200116 140420.783 SSL cipher available: 61:DHE-RSA-CAMELLIA128-SHA
Trace : 4, 20200116 140420.783 SSL cipher available: 62:DHE-DSS-CAMELLIA128-SHA
Trace : 4, 20200116 140420.783 SSL cipher available: 63:DH-RSA-CAMELLIA128-SHA
Trace : 4, 20200116 140420.785 SSL cipher available: 64:DH-DSS-CAMELLIA128-SHA
Trace : 4, 20200116 140420.785 SSL cipher available: 65:ECDH-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 140420.785 SSL cipher available: 66:ECDH-ECDSA-AES128-GCM-SHA256
Trace : 4, 20200116 140420.785 SSL cipher available: 67:ECDH-RSA-AES128-SHA256
Trace : 4, 20200116 140420.785 SSL cipher available: 68:ECDH-ECDSA-AES128-SHA256
Trace : 4, 20200116 140420.785 SSL cipher available: 69:ECDH-RSA-AES128-SHA
Trace : 4, 20200116 140420.785 SSL cipher available: 70:ECDH-ECDSA-AES128-SHA
Trace : 4, 20200116 140420.785 SSL cipher available: 71:AES128-GCM-SHA256
Trace : 4, 20200116 140420.785 SSL cipher available: 72:AES128-SHA256
Trace : 4, 20200116 140420.785 SSL cipher available: 73:AES128-SHA
Trace : 4, 20200116 140420.785 SSL cipher available: 74:SEED-SHA
Trace : 4, 20200116 140420.785 SSL cipher available: 75:CAMELLIA128-SHA
Trace : 4, 20200116 140420.785 SSL cipher available: 76:IDEA-CBC-SHA
Trace : 4, 20200116 140420.785 SSL cipher available: 77:PSK-AES128-CBC-SHA
Trace : 4, 20200116 140420.785 SSL cipher available: 78:ECDHE-RSA-RC4-SHA
Trace : 4, 20200116 140420.785 SSL cipher available: 79:ECDHE-ECDSA-RC4-SHA
Trace : 4, 20200116 140420.785 SSL cipher available: 80:ECDH-RSA-RC4-SHA
Trace : 4, 20200116 140420.785 SSL cipher available: 81:ECDH-ECDSA-RC4-SHA
Trace : 4, 20200116 140420.785 SSL cipher available: 82:RC4-SHA
Trace : 4, 20200116 140420.785 SSL cipher available: 83:RC4-MD5
Trace : 4, 20200116 140420.786 SSL cipher available: 84:PSK-RC4-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 85:ECDHE-RSA-DES-CBC3-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 86:ECDHE-ECDSA-DES-CBC3-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 87:SRP-DSS-3DES-EDE-CBC-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 88:SRP-RSA-3DES-EDE-CBC-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 89:SRP-3DES-EDE-CBC-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 90:EDH-RSA-DES-CBC3-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 91:EDH-DSS-DES-CBC3-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 92:DH-RSA-DES-CBC3-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 93:DH-DSS-DES-CBC3-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 94:ECDH-RSA-DES-CBC3-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 95:ECDH-ECDSA-DES-CBC3-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 96:DES-CBC3-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 97:PSK-3DES-EDE-CBC-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 98:EDH-RSA-DES-CBC-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 99:EDH-DSS-DES-CBC-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 100:DH-RSA-DES-CBC-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 101:DH-DSS-DES-CBC-SHA
Trace : 4, 20200116 140420.786 SSL cipher available: 102:DES-CBC-SHA
Trace : 4, 20200116 140420.788 SSL handshake started write:unknown:unknown
Trace : 4, 20200116 140420.788 SSL state connect:before/connect initialization:(NONE)
Trace : 4, 20200116 140420.788 SSL state connect:SSLv2/v3 write client hello A:(NONE)
Trace : 4, 20200116 140420.788 SSL connect:SSLv2/v3 read server hello A
Trace : 4, 20200116 140420.823 SSL state connect:SSLv3 read server hello A:(NONE)
Trace : 4, 20200116 140420.823 SSL alert write:fatal:unknown CA
Trace : 4, 20200116 140420.823 SSL connect:error
Trace : 4, 20200116 140420.823 SSL connect:error
Trace : 4, 20200116 140420.863 SSL cipher available: 0:ECDHE-RSA-AES256-GCM-SHA384
Trace : 4, 20200116 140420.863 SSL cipher available: 1:ECDHE-ECDSA-AES256-GCM-SHA384
Trace : 4, 20200116 140420.863 SSL cipher available: 2:ECDHE-RSA-AES256-SHA384
Trace : 4, 20200116 140420.863 SSL cipher available: 3:ECDHE-ECDSA-AES256-SHA384
Trace : 4, 20200116 140420.863 SSL cipher available: 4:ECDHE-RSA-AES256-SHA
Trace : 4, 20200116 140420.863 SSL cipher available: 5:ECDHE-ECDSA-AES256-SHA
Trace : 4, 20200116 140420.863 SSL cipher available: 6:SRP-DSS-AES-256-CBC-SHA
Trace : 4, 20200116 140420.863 SSL cipher available: 7:SRP-RSA-AES-256-CBC-SHA
Trace : 4, 20200116 140420.863 SSL cipher available: 8:SRP-AES-256-CBC-SHA
Trace : 4, 20200116 140420.863 SSL cipher available: 9:DH-DSS-AES256-GCM-SHA384
Trace : 4, 20200116 140420.863 SSL cipher available: 10:DHE-DSS-AES256-GCM-SHA384
Trace : 4, 20200116 140420.863 SSL cipher available: 11:DH-RSA-AES256-GCM-SHA384
Trace : 4, 20200116 140420.863 SSL cipher available: 12:DHE-RSA-AES256-GCM-SHA384
Trace : 4, 20200116 140420.863 SSL cipher available: 13:DHE-RSA-AES256-SHA256
Trace : 4, 20200116 140420.863 SSL cipher available: 14:DHE-DSS-AES256-SHA256
Trace : 4, 20200116 140420.863 SSL cipher available: 15:DH-RSA-AES256-SHA256
Trace : 4, 20200116 140420.863 SSL cipher available: 16:DH-DSS-AES256-SHA256
Trace : 4, 20200116 140420.863 SSL cipher available: 17:DHE-RSA-AES256-SHA
Trace : 4, 20200116 140420.863 SSL cipher available: 18:DHE-DSS-AES256-SHA
Trace : 4, 20200116 140420.864 SSL cipher available: 19:DH-RSA-AES256-SHA
Trace : 4, 20200116 140420.864 SSL cipher available: 20:DH-DSS-AES256-SHA
Trace : 4, 20200116 140420.864 SSL cipher available: 21:DHE-RSA-CAMELLIA256-SHA
Trace : 4, 20200116 140420.864 SSL cipher available: 22:DHE-DSS-CAMELLIA256-SHA
Trace : 4, 20200116 140420.864 SSL cipher available: 23:DH-RSA-CAMELLIA256-SHA
Trace : 4, 20200116 140420.864 SSL cipher available: 24:DH-DSS-CAMELLIA256-SHA
Trace : 4, 20200116 140420.864 SSL cipher available: 25:ECDH-RSA-AES256-GCM-SHA384
Trace : 4, 20200116 140420.864 SSL cipher available: 26:ECDH-ECDSA-AES256-GCM-SHA384
Trace : 4, 20200116 140420.864 SSL cipher available: 27:ECDH-RSA-AES256-SHA384
Trace : 4, 20200116 140420.864 SSL cipher available: 28:ECDH-ECDSA-AES256-SHA384
Trace : 4, 20200116 140420.864 SSL cipher available: 29:ECDH-RSA-AES256-SHA
Trace : 4, 20200116 140420.864 SSL cipher available: 30:ECDH-ECDSA-AES256-SHA
Trace : 4, 20200116 140420.864 SSL cipher available: 31:AES256-GCM-SHA384
Trace : 4, 20200116 140420.864 SSL cipher available: 32:AES256-SHA256
Trace : 4, 20200116 140420.864 SSL cipher available: 33:AES256-SHA
Trace : 4, 20200116 140420.864 SSL cipher available: 34:CAMELLIA256-SHA
Trace : 4, 20200116 140420.864 SSL cipher available: 35:PSK-AES256-CBC-SHA
Trace : 4, 20200116 140420.864 SSL cipher available: 36:ECDHE-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 140420.864 SSL cipher available: 37:ECDHE-ECDSA-AES128-GCM-SHA256
Trace : 4, 20200116 140420.864 SSL cipher available: 38:ECDHE-RSA-AES128-SHA256
Trace : 4, 20200116 140420.865 SSL cipher available: 39:ECDHE-ECDSA-AES128-SHA256
Trace : 4, 20200116 140420.865 SSL cipher available: 40:ECDHE-RSA-AES128-SHA
Trace : 4, 20200116 140420.865 SSL cipher available: 41:ECDHE-ECDSA-AES128-SHA
Trace : 4, 20200116 140420.865 SSL cipher available: 42:SRP-DSS-AES-128-CBC-SHA
Trace : 4, 20200116 140420.865 SSL cipher available: 43:SRP-RSA-AES-128-CBC-SHA
Trace : 4, 20200116 140420.865 SSL cipher available: 44:SRP-AES-128-CBC-SHA
Trace : 4, 20200116 140420.865 SSL cipher available: 45:DH-DSS-AES128-GCM-SHA256
Trace : 4, 20200116 140420.865 SSL cipher available: 46:DHE-DSS-AES128-GCM-SHA256
Trace : 4, 20200116 140420.865 SSL cipher available: 47:DH-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 140420.865 SSL cipher available: 48:DHE-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 140420.865 SSL cipher available: 49:DHE-RSA-AES128-SHA256
Trace : 4, 20200116 140420.865 SSL cipher available: 50:DHE-DSS-AES128-SHA256
Trace : 4, 20200116 140420.865 SSL cipher available: 51:DH-RSA-AES128-SHA256
Trace : 4, 20200116 140420.865 SSL cipher available: 52:DH-DSS-AES128-SHA256
Trace : 4, 20200116 140420.865 SSL cipher available: 53:DHE-RSA-AES128-SHA
Trace : 4, 20200116 140420.865 SSL cipher available: 54:DHE-DSS-AES128-SHA
Trace : 4, 20200116 140420.865 SSL cipher available: 55:DH-RSA-AES128-SHA
Trace : 4, 20200116 140420.865 SSL cipher available: 56:DH-DSS-AES128-SHA
Trace : 4, 20200116 140420.865 SSL cipher available: 57:DHE-RSA-SEED-SHA
Trace : 4, 20200116 140420.865 SSL cipher available: 58:DHE-DSS-SEED-SHA
Trace : 4, 20200116 140420.866 SSL cipher available: 59:DH-RSA-SEED-SHA
Trace : 4, 20200116 140420.866 SSL cipher available: 60:DH-DSS-SEED-SHA
Trace : 4, 20200116 140420.866 SSL cipher available: 61:DHE-RSA-CAMELLIA128-SHA
Trace : 4, 20200116 140420.866 SSL cipher available: 62:DHE-DSS-CAMELLIA128-SHA
Trace : 4, 20200116 140420.866 SSL cipher available: 63:DH-RSA-CAMELLIA128-SHA
Trace : 4, 20200116 140420.866 SSL cipher available: 64:DH-DSS-CAMELLIA128-SHA
Trace : 4, 20200116 140420.866 SSL cipher available: 65:ECDH-RSA-AES128-GCM-SHA256
Trace : 4, 20200116 140420.866 SSL cipher available: 66:ECDH-ECDSA-AES128-GCM-SHA256
Trace : 4, 20200116 140420.866 SSL cipher available: 67:ECDH-RSA-AES128-SHA256
Trace : 4, 20200116 140420.866 SSL cipher available: 68:ECDH-ECDSA-AES128-SHA256
Trace : 4, 20200116 140420.866 SSL cipher available: 69:ECDH-RSA-AES128-SHA
Trace : 4, 20200116 140420.866 SSL cipher available: 70:ECDH-ECDSA-AES128-SHA
Trace : 4, 20200116 140420.866 SSL cipher available: 71:AES128-GCM-SHA256
Trace : 4, 20200116 140420.866 SSL cipher available: 72:AES128-SHA256
Trace : 4, 20200116 140420.866 SSL cipher available: 73:AES128-SHA
Trace : 4, 20200116 140420.866 SSL cipher available: 74:SEED-SHA
Trace : 4, 20200116 140420.866 SSL cipher available: 75:CAMELLIA128-SHA
Trace : 4, 20200116 140420.866 SSL cipher available: 76:IDEA-CBC-SHA
Trace : 4, 20200116 140420.866 SSL cipher available: 77:PSK-AES128-CBC-SHA
Trace : 4, 20200116 140420.866 SSL cipher available: 78:ECDHE-RSA-RC4-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 79:ECDHE-ECDSA-RC4-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 80:ECDH-RSA-RC4-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 81:ECDH-ECDSA-RC4-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 82:RC4-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 83:RC4-MD5
Trace : 4, 20200116 140420.867 SSL cipher available: 84:PSK-RC4-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 85:ECDHE-RSA-DES-CBC3-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 86:ECDHE-ECDSA-DES-CBC3-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 87:SRP-DSS-3DES-EDE-CBC-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 88:SRP-RSA-3DES-EDE-CBC-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 89:SRP-3DES-EDE-CBC-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 90:EDH-RSA-DES-CBC3-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 91:EDH-DSS-DES-CBC3-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 92:DH-RSA-DES-CBC3-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 93:DH-DSS-DES-CBC3-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 94:ECDH-RSA-DES-CBC3-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 95:ECDH-ECDSA-DES-CBC3-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 96:DES-CBC3-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 97:PSK-3DES-EDE-CBC-SHA
Trace : 4, 20200116 140420.867 SSL cipher available: 98:EDH-RSA-DES-CBC-SHA
Trace : 4, 20200116 140420.868 SSL cipher available: 99:EDH-DSS-DES-CBC-SHA
Trace : 4, 20200116 140420.868 SSL cipher available: 100:DH-RSA-DES-CBC-SHA
Trace : 4, 20200116 140420.868 SSL cipher available: 101:DH-DSS-DES-CBC-SHA
Trace : 4, 20200116 140420.868 SSL cipher available: 102:DES-CBC-SHA
Trace : 4, 20200116 140420.868 SSL handshake started write:unknown:unknown
Trace : 4, 20200116 140420.868 SSL state connect:before/connect initialization:(NONE)
Trace : 4, 20200116 140420.868 SSL state connect:SSLv2/v3 write client hello A:(NONE)
Trace : 4, 20200116 140420.868 SSL connect:SSLv2/v3 read server hello A
Trace : 4, 20200116 140420.900 SSL state connect:SSLv3 read server hello A:(NONE)
Trace : 4, 20200116 140420.900 SSL alert write:fatal:unknown CA
Trace : 4, 20200116 140420.900 SSL connect:error
Trace : 4, 20200116 140420.900 SSL connect:error
Connect failed return code: Failure
Posting connect semaphore for client test rc 0Posting connect semaphore for client test rc 0
icraggs commented 4 years ago

The OpenSSL trace entry:

alert write:fatal:unknown CA

implies to me that the CA check failed. I assume that's at the client side, but as you're not providing a host CA certificate to check that doesn't seem right. It would seem more likely that it's from the host checking your client cert. Are there any log messages on the AWS end?

xhpohanka commented 4 years ago

Thanks for commenting. I have found the issue. I expected that --insecure option disables verification of server certificate completely. Instead of that it still needs server certificate to be signed by known authority and just disables checking of the name...

wackxu commented 3 years ago

Thanks for commenting. I have found the issue. I expected that --insecure option disables verification of server certificate completely. Instead of that it still needs server certificate to be signed by known authority and just disables checking of the name...

@xhpohanka do you solved the problem? I also meet the error.

xhpohanka commented 3 years ago

do you solved the problem? I also meet the error.

@wackxu If I remember correctly I had to set enableServerCertAuth option to false to disable peer checking. --insecure option have not done that.

wackxu commented 3 years ago

do you solved the problem? I also meet the error.

@wackxu If I remember correctly I had to set enableServerCertAuth option to false to disable peer checking. --insecure option have not done that.

Great, Thanks for your help.