Re: [paho-dev] Trouble connecting using SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [paho-dev] Trouble connecting using SSL

From: Ian Craggs <icraggs@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 12 Dec 2018 17:43:31 +0000
Delivered-to: paho-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/paho-dev>
List-help: <mailto:paho-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/paho-dev>, <mailto:paho-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/paho-dev>, <mailto:paho-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.3.1

Hi David,

there's a bug in 1.3.0 where the newly added CApath TLS option doesn'twork (see https://github.com/eclipse/paho.mqtt.c/pull/574). That willhave been confusing you.

If you use the trustStore option (equivalent to CAfile), then it shouldwork.


Ian

On 12/12/2018 17:02, David Frey wrote:

Hi,

I posted a similar question to the mattermost channel
(https://mattermost.eclipse.org/eclipse/pl/tzh9jd7sw3n3x8focqapiebrnc)
before I realized that this mailing list exists.  It seems like there is
more activity here, so I'm going to re-post.

I am trying to connect to AWS IoT using paho.mqtt.c using a simple
program that I wrote:
https://github.com/dpfrey/aws_iot_mqtt_example/blob/master/main.c

I have verified that it *is* possible to open an SSL session using this
command:
openssl s_client -cert ../certs/04ada7f21c-certificate.pem.crt -key
../certs/04ada7f21c-private.pem.key -CAfile
../certs/ca/AmazonRootCA1.pem -connect
acsf8ikktv204-ats.iot.us-west-2.amazonaws.com:8883

I have played around with the SSL settings available in paho and I can't
find a combination that works.  I posted the output of my program
running with trace level PROTOCOL here:
https://gist.github.com/dpfrey/1a07d5d64bb305fa764bba043170bf24

In one instance, I fill in ssl_opts.keyStore and in the other I don't.
It seems that the openssl command I executed above doesn't make use of
the public key file, so I'm guessing that the version where I don't
supply the keyStore to paho might be closer to correct.

The last few lines of the output (without keyStore) are:

20181211 220656.062 SSL alert write:fatal:unknown CA
20181211 220656.062 SSL connect:error
In ssl_error_callback with str=140219359057664:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1924:

Connection failed with code=-1, message=TCP/TLS connect failure> All finished


The last few lines of the output (with keyStore) are:

20181211 220543.698 Connecting to serverURI acsf8ikktv204-ats.iot.us-west-2.amazonaws.com:8883 with MQTT version 3
In ssl_error_callback with str=140643715286784:error:140DC009:SSL routines:use_certificate_chain_file:PEM lib:ssl/ssl_rsa.c:622:

Connection failed with code=-1, message=TCP/TLS connect failure
All finished

Do you see issues with my SSL settings in paho?  Is anyone familiar with
some sample code that shows paho.mqtt.c connecting to AWS IoT?

Thanks,
David
_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/paho-dev


--
Ian Craggs
icraggs@xxxxxxxxxx                 IBM United Kingdom
Eclipse Paho Project Lead & Mosquitto Committer

References:
- [paho-dev] Trouble connecting using SSL
  - From: David Frey

Prev by Date: [paho-dev] Trouble connecting using SSL
Next by Date: [paho-dev] WebSockets working in Paho C++
Previous by thread: [paho-dev] Trouble connecting using SSL
Next by thread: [paho-dev] WebSockets working in Paho C++
Index(es):
- Date
- Thread

Breadcrumbs