Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mqtt_demo_mutual_auth get error "SSL_connect failed to perform TLS handshake." #1880

Closed
chenxiang1001 opened this issue Sep 12, 2023 · 3 comments
Closed

mqtt_demo_mutual_auth get error "SSL_connect failed to perform TLS handshake." #1880

chenxiang1001 opened this issue Sep 12, 2023 · 3 comments

Comments

@chenxiang1001
Copy link

Now I'm trying to use AWS IoT embedded C SDK in Ubuntu 20.04.

The step:
cmake -S . -Bbuild -DAWS_IOT_ENDPOINT="xxx-ats.iot.xxx.amazonaws.com" -DROOT_CA_CERT_PATH="/home/builder/ca.pem" -DCLIENT_CERT_PATH="/home/builder/cert.pem" -DCLIENT_PRIVATE_KEY_PATH="/home/builder/key.pem"
cd build
make mqtt_demo_mutual_auth

then I got the following error message when running mqtt_demo_mutual_auth
[ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:280] SSL_connect failed to perform TLS handshake.
[ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection.

I've tested mqtt using MQTT.fx with above files(ca.pem,cert.pem,key.pem).

Can anyone help on this why I am getting issue. Thanks.
@kstribrnAmzn
Copy link
Member

kstribrnAmzn commented Sep 12, 2023
edited
Loading

Hello @chenxiang1001! Sorry for this troubling experience. I do believe I have figured out your issue though - looks like the RootCA path is incorrect in our code.. I followed the steps you went through almost exactly and saw the SSL_connect error. For a temporary workaround, you can add the RootCA path.

So instead of...

cmake -S . -Bbuild -DAWS_IOT_ENDPOINT="xxx-ats.iot.xxx.amazonaws.com" -DROOT_CA_CERT_PATH="/home/builder/ca.pem" -DCLIENT_CERT_PATH="/home/builder/cert.pem" -DCLIENT_PRIVATE_KEY_PATH="/home/builder/key.pem"

Do this...

cmake -S . -Bbuild -DAWS_IOT_ENDPOINT="xxx-ats.iot.xxx.amazonaws.com" -DROOT_CA_CERT_PATH="/home/builder/ca.pem" -DCLIENT_CERT_PATH="/home/builder/cert.pem" -DCLIENT_PRIVATE_KEY_PATH="/home/builder/key.pem" -DROOT_CA_CERT_PATH="/home/builder/AmazonRootCA1.pem"

You can download the RootCA here.

I'll make sure to update the README to include this CMake option in the CMake command. I'll submit a PR to fix the broken certificate download.

@kstribrnAmzn
Copy link
Member

Found out the actual root cause of the problem - the certificate path is relative to the directory you execute the binary from. So the commands you'll want to execute will look like....

cmake -S . -Bbuild -DAWS_IOT_ENDPOINT="xxx-ats.iot.xxx.amazonaws.com" -DROOT_CA_CERT_PATH="/home/builder/ca.pem" -DCLIENT_CERT_PATH="/home/builder/cert.pem" -DCLIENT_PRIVATE_KEY_PATH="/home/builder/key.pem"
cd build
make mqtt_demo_mutual_auth
cd bin
./mqtt_demo_mutual_auth

I'll make sure to clarify this in the README

@kstribrnAmzn kstribrnAmzn mentioned this issue Sep 12, 2023
Merged
@kstribrnAmzn
Copy link
Member

#1881

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kstribrnAmzn @chenxiang1001