AWS MQTT Demo MbedTLS Config

audreyh · March 23, 2020, 12:23pm

Hi, I am trying to connect to AWS using the MQTT demo for STM32L4. I have tweaked some of the project settings such as NOT to use offload_ssl.
I know that the certs and private key are correct as I used them with a mosquitto client to connect successfully.

During the handshake process at step 12, I get fatal message errors (-0x7780, msg 40), which according to some forums may be related to the cipher suite used.

I have not tweaked the config.h file for mbedtls that came with the demo project, but I am wondering if there is something that should be modified.

Anyone have ideas?

Thanks!!

aggarg · March 23, 2020, 5:22pm

Did you use our quick connect workflow to generate cert and keys and setup other AWS resources required for the demo?

Just to make sure that your cert and keys are correct, would you please use with offload_ssl and let us know if that works.

Also, what version of the code are you using?

Thanks.

audreyh · March 23, 2020, 11:54pm

Yep, I used the quick connect to gen the cert and private key. I am confident that they are correct as I was able to load them into another program to connect to AWS and publish to mqtt topics.

I actually cannot use offload_ssl. The demo is running on custom hardware with a cell module instead of wifi module. ( so of course i tweaked some of the functionality to communicate with the cell modem vs the wifi chip)

The version of code I have is 0.9.2 for the aws config
FreeRTOS V202002.00
mbed TLS 2.16.0

aggarg · March 24, 2020, 7:19pm

Okay - So you are porting to a new hardware. In that case, it will be helpful to take a step-by-step approach:

Let’s first make sure that the TCP stack works correctly. Which TCP stack are you using? Are you porting to our secure sockets layer - in which case you can use our secure socket tests to verify that the TCP works correctly.
After we are sure that the TCP layer is working as expected, we can move to TLS. Our secure sockets tests include TLS tests as well which helps you to verify that TLS+TCP works correctly.
Next we can bring in MQTT and connect to AWS IoT.

Would you also enable mbedTLS debug logs and share them.

Thanks.

audreyh · March 25, 2020, 12:56am

Hi Gaurav,

I am using LwIP, yes porting to the secure sockets layer.

I verified the TCP stack is working by opening a socket to the U-blox echo server (we are using a ublox modem) and can send and receive responses.

Does AWS have a test server that can be used for the secure sockets TLS tests? Should I just use my endpoint/keys/certs for the test?

I noticed that the handshake is failing at state 12 of the mbed tls handshake…SSL_SERVER_CHANGE_CIPHER_SPEC which makes me think that there is something off with the config.h being used.

audreyh · March 25, 2020, 2:27pm

I updated the config file, and and now getting a fatal message 42 type:

70606 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => handshake

70723 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: client state: 0

70849 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

70975 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

71101 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: client state: 1

71227 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

71353 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

71479 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write client hello

71623 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write handshake message

71767 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write record

71893 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

72019 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: message length: 158, out_left: 158

72391 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: ssl->f_send() returned 158 (-0xffffff62)

72553 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

72679 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write record

72805 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write handshake message

72946 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write client hello

73081 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: client state: 2

73207 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

73333 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

73459 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => parse server hello

73594 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => read record

73717 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => fetch input

73840 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: in_left: 0, nb_want: 5

75386 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: in_left: 0, nb_want: 5

75521 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

75707 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= fetch input

75830 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => fetch input

75953 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: in_left: 5, nb_want: 5348

76145 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: in_left: 5, nb_want: 5348

76286 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: ssl->f_recv(_timeout)() returned 1375 (-0xfffffaa1)

77076 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: in_left: 1380, nb_want: 5348

77220 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: ssl->f_recv(_timeout)() returned 1380 (-0xfffffa9c)

81990 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: in_left: 2760, nb_want: 5348

82134 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: ssl->f_recv(_timeout)() returned 1380 (-0xfffffa9c)

83385 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: in_left: 4140, nb_want: 5348

83529 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: ssl->f_recv(_timeout)() returned 1208 (-0xfffffb48)

83709 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= fetch input

83847 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= read record

83970 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: server hello, total extension length: 9

84132 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= parse server hello

84267 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: client state: 3

84393 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

84519 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

84645 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => parse certificate

84777 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => read record

85017 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= read record

87089 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= parse certificate

87221 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: client state: 4

87347 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

87473 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

87599 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => parse server key exchange

87743 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => read record

87872 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= read record

87998 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: ECDH curve: secp256r1

88130 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: Server used SignatureAlgorithm 1

88280 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: Server used HashAlgorithm 4

89252 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= parse server key exchange

89396 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: client state: 5

89522 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

89648 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

89774 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => parse certificate request

89918 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => read record

90041 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= read record

90164 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= parse certificate request

90308 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: client state: 6

90434 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

90560 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

90686 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => parse server hello done

90827 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => read record

90950 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= read record

91073 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= parse server hello done

91214 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: client state: 7

91340 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

91466 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

91592 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write certificate

91727 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write handshake message

91883 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write record

92009 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

92135 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: message length: 876, out_left: 876

93278 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: ssl->f_send() returned 876 (-0xfffffc94)

93440 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

93566 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write record

93692 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write handshake message

93833 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write certificate

93965 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: client state: 8

94091 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

94217 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

94343 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write client key exchange

111518 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write handshake message

111665 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write record

111788 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

111914 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: message length: 75, out_left: 75

112199 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: ssl->f_send() returned 75 (-0xffffffb5)

112361 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

112487 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write record

112613 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write handshake message

112757 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write client key exchange

112904 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: client state: 9

113030 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

113156 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

113282 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write certificate verify

113426 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => derive keys

113552 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => calc verify sha256

113690 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= calc verify

113966 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= derive keys

114089 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => calc verify sha256

114227 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= calc verify

123491 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write handshake message

123638 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write record

123761 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

123887 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: message length: 85, out_left: 85

124184 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: ssl->f_send() returned 85 (-0xffffffab)

124346 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

124472 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write record

124598 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write handshake message

124742 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write certificate verify

124886 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: client state: 10

125015 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

125153 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

125279 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write change cipher spec

125423 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write handshake message

125567 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write record

125693 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

125819 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: message length: 6, out_left: 6

126026 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: ssl->f_send() returned 6 (-0xfffffffa)

126188 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

126314 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write record

126440 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write handshake message

126584 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write change cipher spec

126728 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: client state: 11

126857 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

126983 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

127109 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write finished

127238 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => calc finished tls sha256

127406 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= calc finished

127535 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write handshake message

127682 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => write record

127805 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => encrypt buf

127934 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= encrypt buf

128060 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

128186 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: message length: 45, out_left: 45

128342 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: ssl->f_send() returned 45 (-0xffffffd3)

128501 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

128627 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write record

128753 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write handshake message

128897 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= write finished

129026 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: client state: 12

129155 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => flush output

129281 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= flush output

129407 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => parse change cipher spec

129551 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => read record

129677 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => fetch input

129803 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: in_left: 0, nb_want: 5

129941 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: in_left: 0, nb_want: 5

130079 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

130256 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= fetch input

130396 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: => fetch input

130522 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: in_left: 5, nb_want: 7

130660 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: in_left: 5, nb_want: 7

130798 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: ssl->f_recv(_timeout)() returned 2 (-0xfffffffe)

130975 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= fetch input

131102 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: got an alert message, type: [2:42]

131282 - info:prvTlsDebugPrint:723:mbedTLS: |1| 0x2000ed04: is a fatal alert message (msg 42)

131435 - info:prvTlsDebugPrint:723:mbedTLS: |1| 0x2000ed04: mbedtls_ssl_handle_message_type() returned -30592 (-0x7780)

131627 - info:prvTlsDebugPrint:723:mbedTLS: |1| 0x2000ed04: mbedtls_ssl_read_record() returned -30592 (-0x7780)

131807 - info:prvTlsDebugPrint:723:mbedTLS: |2| 0x2000ed04: <= handshake

aggarg · March 25, 2020, 9:41pm

Does AWS have a test server that can be used for the secure sockets TLS tests? Should I just use my endpoint/keys/certs for the test?

We do not provide a test server as a hosted solution but we do provide two simple echo servers written in GO. This page explains how to set up TLS and non-TLS echo servers: FreeRTOS

Please setup TLS echo server and lets see if that works. Meanwhile I will try to get more information on the logs you shared.

Thanks.

lundinc · March 25, 2020, 10:53pm

In addition to Gaurav’s guidance, can you set the mbedtls debug level to 4?

Also here are the supported cipher specs for AWS IoT Core: https://docs.aws.amazon.com/iot/latest/developerguide/transport-security.html.

Perhaps you can cross reference this with your config.h. Albeit that seems to not be the issue if it has not been changed from the one we distribute.

lundinc · March 26, 2020, 4:55pm

Hello Audreyh,

I took a look at those logs, and you are receiving an alert message 42 from the server. This indicates a bad certificate. Could you be missing some initialization / configuration code? Or possibly missing a certificate in the

Since you’ve tested this certificate with another program it is likely a problem when porting to the secure sockets layer.

Have you followed our porting guide? https://docs.aws.amazon.com/freertos/latest/portingguide/afr-porting-ss.html. It may also be helpful to compare to the existing not offload_ssl port on ST.

Thanks,

Carl

audreyh · March 26, 2020, 5:38pm

Hi Carl…thanks for the response! I think the rest of this sentence got cut off: “Or possibly missing a certificate in the”

What was the rest of that sentence?

There could be some init code missing, I have the function vDevModeKeyProvisioning() running at startup, but maybe I am missing another item related to the certificate, I will cross reference with the demos one more time.

lundinc · March 26, 2020, 5:44pm

Apologies for the typo! “Or possibly missing a certificate in the certificate chain" was the complete sentence.

This file may be a useful resource for some example code that uses mbedTLS. https://github.com/aws/amazon-freertos/blob/master/libraries/freertos_plus/standard/tls/src/iot_tls.c.