WICED SDK 3.5.2 SSL/TLS Verify Peer CN Bug

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
Anonymous
Not applicable

WICED SDK 3.5.2  using the Broadcom BCM9WCD1EVAL1 demo board with the apps/demo/aws_iot/pub_sub/publisher project

Using the AWS IoT publisher sample project.  I have generated my client cert and priv key and loaded into resources in project.  These have been tested externally so I know they are good.  The root CA cert is also known to be good.

I modified mqtt_network.c mqtt_network_init() function call and its call to wiced_tls_init_context() and changed the NULL for peer CN to a server name that is totally different than the once I am actually connecting to, and TLS verification is required.

I then placed a lot of WPRINT_APP_INFO() function calls to output debug info to the console to trace out the various return values and determine what paths are being taken.   See below for a trace.

Everything appears okay as we move along the code until run the wiced_tcp_start_tls() function which in turn calls wiced_generic_start_tls_with_ciphers() where in the do while loop for the ssl handshake we have a problem.

The mqtt_network_connect() function will make multiple attempts to connect before giving up.  The first pass the handshake fails with error code 5037 = CERTIFICATE_NAME_MISMATCH.  Okay, that is what I expected using my settings below.  However the do while loop in the mqtt_network_connect() function says that we should try again, so it does.  The problem is that the second attempt PASSES.  Crazy!

Something is not being properly initialized before the next pass is my guess.  Or there is some counter getting maxed out (not reset) and a default return code of success is being returned.  Whatever is going on, I am stuck trying to debug this because there is no source code for the ssl_handshake_client_async() function.

And if I use the proper name in the peer cn parameter in the wiced_tls_init_context() function call, it is exactly the same result for AWS IoT connection.  First pass through is error 5037, second pass is success.  While that seems good, the fact that I can do this with a bad peer cn name means that this verify is not trustworthy and I cannot protect against MITM attacks.

When can we expect a fix?  This was reported back on Aug 18 2015 and it is still not answered or fixed?  Why?

https://community.broadcom.com/message/18777#18777

#define MQTT_BROKER_ADDRESS            "AWG29O1L5K0Q3.iot.us-east-1.amazonaws.com"

wiced_tls_init_context( &socket->tls_context, &socket->tls_identity, "www.google.com" );

#define WICED_TLS_DEFAULT_VERIFICATION   (TLS_VERIFICATION_REQUIRED)

Starting WICED v3.5.2

Platform BCM943362WCD4 initialised

Started ThreadX v5.6

Initialising NetX_Duo v5.7_sp2

Creating Packet pools

WWD SDIO interface initialised

WLAN MAC Address : 40:2C:F4:AF:32:91

WLAN Firmware    : wl0: Oct 22 2015 15:05:09 version 5.90.230.15 FWID 01-47a517a

Joining : XXX

Successfully joined : XXX

Obtaining IPv4 address via DHCP

DHCP CLIENT hostname WICED IP

IPv4 network ready IP: 192.168.1.68

Setting IPv6 link-local address

IPv6 network ready IP: FE80:0000:0000:0000:422C:F4FF:FEAF:3291

Resolving IP address of MQTT broker...

Resolved Broker IP: 54.85.255.214

[MQTT] Opening connection...

[mqtt_network.c] mqtt_network_init() wiced_tcp_create_socket() success...

[mqtt_network.c] mqtt_network_init() using security...

[mqtt_network.c] mqtt_network_init() wiced_tls_init_root_ca_certificates() success...

[mqtt_network.c] mqtt_network_init() - wiced_tls_init_identity() success...

[mqtt_network.c] mqtt_network_init() - wiced_tls_init_context() success...

[mqtt_network.c] mqtt_network_init() - wiced_tcp_enable_tls() success...

[mqtt_network.c] mqtt_network_init() - mqtt_network_connect()

        [mqtt_network.c] mqtt_network_connect() try 0

                [tcpip.c] wiced_tcp_connect() wiced_tcp_start_tls()

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - root_ca_certificates exist

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - identity does exist

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() error 5037...

error 5037...

result = 5037...

        [mqtt_network.c] mqtt_network_connect() try 1

                [tcpip.c] wiced_tcp_connect() wiced_tcp_start_tls()

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - root_ca_certificates exist

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - identity does exist

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER

                        [wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...

success...

result = 0...

success...

[mqtt_network.c] mqtt_network_init() - wiced_tcp_register_callbacks() success...

Success

vik86abirjepatil

0 Likes
1 Solution

Yes this is taken care, Yes you will be able to verify TLS connections to AWS IoT.

View solution in original post

9 Replies
VikramR_26
Employee
Employee
25 sign-ins 10 sign-ins 10 comments on KBA

The next SDK has support for peer common name for MQTT.

Anonymous
Not applicable

Great.  What about the TLS issue I reported?  Will there be support to verify TLS connections to AWS IoT?  Right now I cannot make that happen.  If this is not a problem for you, please post the code (less your cert and private key) and I will use that to figure out the issue on my end.  Thanks.

Yes this is taken care, Yes you will be able to verify TLS connections to AWS IoT.

Anonymous
Not applicable

Great.  Thanks.  My only other question is when can we expect the next SDK release with these fixes?  Is there an ETA? 

Anonymous
Not applicable

Solved.  Thanks.

PS to anybody else having issues with AWS IoT peer verification, make sure that your peer CN parameter being passed in has a wildcard for the first level.  So if your broker is

"data.iot.us-east-1.amazonaws.com"  please use

"*.iot.us-east-1.amazonaws.com"

as your peer cn input. 

Anonymous
Not applicable

Any news on when we'll get the update that has CN verification?

0 Likes
Anonymous
Not applicable

Already fixed. Depends on what you need either 3.5.2 or 3.6.0. For AWS MQTT you can use 3.5.2 but need to use wildcard in peer cn field, i.e. *.xxx and not the exact broker name data.xxx

Sent from my iPhone

0 Likes
Anonymous
Not applicable

Ok, I'm still on 3.4.0, I just didn't see it in the changelog for 3.5.2. How can I get access to 3.6.0?

0 Likes

abers

Take a look in your inbox.

0 Likes