- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WICED SDK 3.5.2 using the Broadcom BCM9WCD1EVAL1 demo board with the apps/demo/aws_iot/pub_sub/publisher project
Using the AWS IoT publisher sample project. I have generated my client cert and priv key and loaded into resources in project. These have been tested externally so I know they are good. The root CA cert is also known to be good.
I modified mqtt_network.c mqtt_network_init() function call and its call to wiced_tls_init_context() and changed the NULL for peer CN to a server name that is totally different than the once I am actually connecting to, and TLS verification is required.
I then placed a lot of WPRINT_APP_INFO() function calls to output debug info to the console to trace out the various return values and determine what paths are being taken. See below for a trace.
Everything appears okay as we move along the code until run the wiced_tcp_start_tls() function which in turn calls wiced_generic_start_tls_with_ciphers() where in the do while loop for the ssl handshake we have a problem.
The mqtt_network_connect() function will make multiple attempts to connect before giving up. The first pass the handshake fails with error code 5037 = CERTIFICATE_NAME_MISMATCH. Okay, that is what I expected using my settings below. However the do while loop in the mqtt_network_connect() function says that we should try again, so it does. The problem is that the second attempt PASSES. Crazy!
Something is not being properly initialized before the next pass is my guess. Or there is some counter getting maxed out (not reset) and a default return code of success is being returned. Whatever is going on, I am stuck trying to debug this because there is no source code for the ssl_handshake_client_async() function.
And if I use the proper name in the peer cn parameter in the wiced_tls_init_context() function call, it is exactly the same result for AWS IoT connection. First pass through is error 5037, second pass is success. While that seems good, the fact that I can do this with a bad peer cn name means that this verify is not trustworthy and I cannot protect against MITM attacks.
When can we expect a fix? This was reported back on Aug 18 2015 and it is still not answered or fixed? Why?
https://community.broadcom.com/message/18777#18777
#define MQTT_BROKER_ADDRESS | "AWG29O1L5K0Q3.iot.us-east-1.amazonaws.com" |
wiced_tls_init_context( &socket->tls_context, &socket->tls_identity, "www.google.com" );
#define WICED_TLS_DEFAULT_VERIFICATION | (TLS_VERIFICATION_REQUIRED) |
Starting WICED v3.5.2
Platform BCM943362WCD4 initialised
Started ThreadX v5.6
Initialising NetX_Duo v5.7_sp2
Creating Packet pools
WWD SDIO interface initialised
WLAN MAC Address : 40:2C:F4:AF:32:91
WLAN Firmware : wl0: Oct 22 2015 15:05:09 version 5.90.230.15 FWID 01-47a517a
Joining : XXX
Successfully joined : XXX
Obtaining IPv4 address via DHCP
DHCP CLIENT hostname WICED IP
IPv4 network ready IP: 192.168.1.68
Setting IPv6 link-local address
IPv6 network ready IP: FE80:0000:0000:0000:422C:F4FF:FEAF:3291
Resolving IP address of MQTT broker...
Resolved Broker IP: 54.85.255.214
[MQTT] Opening connection...
[mqtt_network.c] mqtt_network_init() wiced_tcp_create_socket() success...
[mqtt_network.c] mqtt_network_init() using security...
[mqtt_network.c] mqtt_network_init() wiced_tls_init_root_ca_certificates() success...
[mqtt_network.c] mqtt_network_init() - wiced_tls_init_identity() success...
[mqtt_network.c] mqtt_network_init() - wiced_tls_init_context() success...
[mqtt_network.c] mqtt_network_init() - wiced_tcp_enable_tls() success...
[mqtt_network.c] mqtt_network_init() - mqtt_network_connect()
[mqtt_network.c] mqtt_network_connect() try 0
[tcpip.c] wiced_tcp_connect() wiced_tcp_start_tls()
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - root_ca_certificates exist
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - identity does exist
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() error 5037...
error 5037...
result = 5037...
[mqtt_network.c] mqtt_network_connect() try 1
[tcpip.c] wiced_tcp_connect() wiced_tcp_start_tls()
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - root_ca_certificates exist
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - identity does exist
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - do while loop ( tls_context->context.state != SSL_HANDSHAKE_OVER
[wiced_tls.c] wiced_generic_start_tls_with_ciphers() - ssl_handshake_client_async() success...
success...
result = 0...
success...
[mqtt_network.c] mqtt_network_init() - wiced_tcp_register_callbacks() success...
Success
Solved! Go to Solution.
- Tags:
- aws
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes this is taken care, Yes you will be able to verify TLS connections to AWS IoT.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The next SDK has support for peer common name for MQTT.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great. What about the TLS issue I reported? Will there be support to verify TLS connections to AWS IoT? Right now I cannot make that happen. If this is not a problem for you, please post the code (less your cert and private key) and I will use that to figure out the issue on my end. Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes this is taken care, Yes you will be able to verify TLS connections to AWS IoT.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great. Thanks. My only other question is when can we expect the next SDK release with these fixes? Is there an ETA?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved. Thanks.
PS to anybody else having issues with AWS IoT peer verification, make sure that your peer CN parameter being passed in has a wildcard for the first level. So if your broker is
"data.iot.us-east-1.amazonaws.com" please use
"*.iot.us-east-1.amazonaws.com"
as your peer cn input.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any news on when we'll get the update that has CN verification?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Already fixed. Depends on what you need either 3.5.2 or 3.6.0. For AWS MQTT you can use 3.5.2 but need to use wildcard in peer cn field, i.e. *.xxx and not the exact broker name data.xxx
Sent from my iPhone
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I'm still on 3.4.0, I just didn't see it in the changelog for 3.5.2. How can I get access to 3.6.0?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content