Hi All, I recently started working on mbedtls for AWS IoT SDK based applications.
Issue: I am planning to run AWS IoT SDK sample applications on my memory constrained (6MB RAM) embedded hardware Usage: AWS IOT SDK(3.0.1 release version) and mbedtls (2.16.5) Note: This filesystem is Read-Only file system.
I have tried on Ubuntu 18.04 setup first to make things clear. It was not working with "AmazonRootCA1.pem" and working perfectly fine with cross-signed "G2-RootCA1.pem". Ref: https://docs.aws.amazon.com/iot/latest/developerguide/iot-embedded-c-sdk.htm...
So I have cross-compiled for my target board using ARM toolchain and copied the binary and certificates. I have downloaded device certificate, private key and RootCA from AWS IOT Core to my device. Nothing on my device except copying the above 3 files.
On my Embedded platform, whenever run my application, mbedtls is throwing the error "mbedtls_ssl_handshake returned -0x50" So I have enabled the debug in mbedtls library and ran below command to dig into the problem.
$ ./ssl_client2 server_name=a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.comhttp://a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com/ serv er_port=443 ca_file=/certs/G2-RootCA1.pem crt_file=/certs/4960bd2f6b-certificate .pem.crt key_file=/certs/4960bd2f6b-private.pem.key
Output: $ ./ssl_client2 server_name=a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.comhttp://a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com/ serv er_port=443 ca_file=/certs/G2-RootCA1.pem crt_file=/certs/4960bd2f6b-certificate .pem.crt key_file=/certs/4960bd2f6b-private.pem.key
. Seeding the random number generator... ok . Loading the CA root certificate ... ok (0 skipped) . Loading the client cert. and key... ok . Connecting to tcp/a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com/443.http://a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com/443... ok . Setting up the SSL/TLS structure...ssl_tls.c:0081: |3| set_timer to 0 ms ok . Performing the SSL/TLS handshake...ssl_tls.c:8084: |2| => handshake ssl_cli.c:3510: |2| client state: 0 ssl_tls.c:2755: |2| => flush output ssl_tls.c:2767: |2| <= flush output ssl_cli.c:3510: |2| client state: 1 ssl_tls.c:2755: |2| => flush output ssl_tls.c:2767: |2| <= flush output ssl_cli.c:0774: |2| => write client hello ssl_cli.c:0811: |3| client hello, max version: [3:3] ssl_cli.c:0703: |3| client hello, current time: 1540981791 ssl_cli.c:0821: |3| dumping 'client hello, random bytes' (32 bytes) ssl_cli.c:0821: |3| 0000: 5b d9 84 1f 2f 33 35 54 ea 0b 5d e1 dc 42 0c 99 [.../35T..]..B.. ssl_cli.c:0821: |3| 0010: d4 a1 25 72 6f 0f cf 8e 56 0d ab f5 10 e4 47 46 ..%ro...V.....GF ssl_cli.c:0874: |3| client hello, session id len.: 0 ssl_cli.c:0875: |3| dumping 'client hello, session id' (0 bytes) ssl_cli.c:0921: |3| client hello, add ciphersuite: cca8 ssl_cli.c:0921: |3| client hello, add ciphersuite: cca9 ssl_cli.c:0921: |3| client hello, add ciphersuite: ccaa ssl_cli.c:0921: |3| client hello, add ciphersuite: c02c ssl_cli.c:0921: |3| client hello, add ciphersuite: c030 ssl_cli.c:0921: |3| client hello, add ciphersuite: 009f ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ad ssl_cli.c:0921: |3| client hello, add ciphersuite: c09f ssl_cli.c:0921: |3| client hello, add ciphersuite: c024 ssl_cli.c:0921: |3| client hello, add ciphersuite: c028 ssl_cli.c:0921: |3| client hello, add ciphersuite: 006b ssl_cli.c:0921: |3| client hello, add ciphersuite: c00a ssl_cli.c:0921: |3| client hello, add ciphersuite: c014 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0039 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0af ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a3 ssl_cli.c:0921: |3| client hello, add ciphersuite: c087 ssl_cli.c:0921: |3| client hello, add ciphersuite: c08b ssl_cli.c:0921: |3| client hello, add ciphersuite: c07d ssl_cli.c:0921: |3| client hello, add ciphersuite: c073 ssl_cli.c:0921: |3| client hello, add ciphersuite: c077 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00c4 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0088 ssl_cli.c:0921: |3| client hello, add ciphersuite: c02b ssl_cli.c:0921: |3| client hello, add ciphersuite: c02f ssl_cli.c:0921: |3| client hello, add ciphersuite: 009e ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ac ssl_cli.c:0921: |3| client hello, add ciphersuite: c09e ssl_cli.c:0921: |3| client hello, add ciphersuite: c023 ssl_cli.c:0921: |3| client hello, add ciphersuite: c027 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0067 ssl_cli.c:0921: |3| client hello, add ciphersuite: c009 ssl_cli.c:0921: |3| client hello, add ciphersuite: c013 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0033 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ae ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a2 ssl_cli.c:0921: |3| client hello, add ciphersuite: c086 ssl_cli.c:0921: |3| client hello, add ciphersuite: c08a ssl_cli.c:0921: |3| client hello, add ciphersuite: c07c ssl_cli.c:0921: |3| client hello, add ciphersuite: c072 ssl_cli.c:0921: |3| client hello, add ciphersuite: c076 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00be ssl_cli.c:0921: |3| client hello, add ciphersuite: 0045 ssl_cli.c:0921: |3| client hello, add ciphersuite: ccac ssl_cli.c:0921: |3| client hello, add ciphersuite: ccad ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ab ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a7 ssl_cli.c:0921: |3| client hello, add ciphersuite: c038 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b3 ssl_cli.c:0921: |3| client hello, add ciphersuite: c036 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0091 ssl_cli.c:0921: |3| client hello, add ciphersuite: c091 ssl_cli.c:0921: |3| client hello, add ciphersuite: c09b ssl_cli.c:0921: |3| client hello, add ciphersuite: c097 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ab ssl_cli.c:0921: |3| client hello, add ciphersuite: 00aa ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a6 ssl_cli.c:0921: |3| client hello, add ciphersuite: c037 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b2 ssl_cli.c:0921: |3| client hello, add ciphersuite: c035 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0090 ssl_cli.c:0921: |3| client hello, add ciphersuite: c090 ssl_cli.c:0921: |3| client hello, add ciphersuite: c096 ssl_cli.c:0921: |3| client hello, add ciphersuite: c09a ssl_cli.c:0921: |3| client hello, add ciphersuite: c0aa ssl_cli.c:0921: |3| client hello, add ciphersuite: 009d ssl_cli.c:0921: |3| client hello, add ciphersuite: c09d ssl_cli.c:0921: |3| client hello, add ciphersuite: 003d ssl_cli.c:0921: |3| client hello, add ciphersuite: 0035 ssl_cli.c:0921: |3| client hello, add ciphersuite: c032 ssl_cli.c:0921: |3| client hello, add ciphersuite: c02a ssl_cli.c:0921: |3| client hello, add ciphersuite: c00f ssl_cli.c:0921: |3| client hello, add ciphersuite: c02e ssl_cli.c:0921: |3| client hello, add ciphersuite: c026 ssl_cli.c:0921: |3| client hello, add ciphersuite: c005 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a1 ssl_cli.c:0921: |3| client hello, add ciphersuite: c07b ssl_cli.c:0921: |3| client hello, add ciphersuite: 00c0 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0084 ssl_cli.c:0921: |3| client hello, add ciphersuite: c08d ssl_cli.c:0921: |3| client hello, add ciphersuite: c079 ssl_cli.c:0921: |3| client hello, add ciphersuite: c089 ssl_cli.c:0921: |3| client hello, add ciphersuite: c075 ssl_cli.c:0921: |3| client hello, add ciphersuite: 009c ssl_cli.c:0921: |3| client hello, add ciphersuite: c09c ssl_cli.c:0921: |3| client hello, add ciphersuite: 003c ssl_cli.c:0921: |3| client hello, add ciphersuite: 002f ssl_cli.c:0921: |3| client hello, add ciphersuite: c031 ssl_cli.c:0921: |3| client hello, add ciphersuite: c029 ssl_cli.c:0921: |3| client hello, add ciphersuite: c00e ssl_cli.c:0921: |3| client hello, add ciphersuite: c02d ssl_cli.c:0921: |3| client hello, add ciphersuite: c025 ssl_cli.c:0921: |3| client hello, add ciphersuite: c004 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a0 ssl_cli.c:0921: |3| client hello, add ciphersuite: c07a ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ba ssl_cli.c:0921: |3| client hello, add ciphersuite: 0041 ssl_cli.c:0921: |3| client hello, add ciphersuite: c08c ssl_cli.c:0921: |3| client hello, add ciphersuite: c078 ssl_cli.c:0921: |3| client hello, add ciphersuite: c088 ssl_cli.c:0921: |3| client hello, add ciphersuite: c074 ssl_cli.c:0921: |3| client hello, add ciphersuite: ccae ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ad ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b7 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0095 ssl_cli.c:0921: |3| client hello, add ciphersuite: c093 ssl_cli.c:0921: |3| client hello, add ciphersuite: c099 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ac ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b6 ssl_cli.c:0921: |3| client hello, add ciphersuite: 0094 ssl_cli.c:0921: |3| client hello, add ciphersuite: c092 ssl_cli.c:0921: |3| client hello, add ciphersuite: c098 ssl_cli.c:0921: |3| client hello, add ciphersuite: ccab ssl_cli.c:0921: |3| client hello, add ciphersuite: 00a9 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a5 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00af ssl_cli.c:0921: |3| client hello, add ciphersuite: 008d ssl_cli.c:0921: |3| client hello, add ciphersuite: c08f ssl_cli.c:0921: |3| client hello, add ciphersuite: c095 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a9 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00a8 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a4 ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ae ssl_cli.c:0921: |3| client hello, add ciphersuite: 008c ssl_cli.c:0921: |3| client hello, add ciphersuite: c08e ssl_cli.c:0921: |3| client hello, add ciphersuite: c094 ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a8 ssl_cli.c:0934: |3| client hello, got 127 ciphersuites (excluding SCSVs) ssl_cli.c:0943: |3| adding EMPTY_RENEGOTIATION_INFO_SCSV ssl_cli.c:0992: |3| client hello, compress len.: 1 ssl_cli.c:0993: |3| client hello, compress alg.: 0 ssl_cli.c:0068: |3| client hello, adding server name extension: a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.comhttp://a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com/ ssl_cli.c:0186: |3| client hello, adding signature_algorithms extension ssl_cli.c:0271: |3| client hello, adding supported_elliptic_curves extension ssl_cli.c:0336: |3| client hello, adding supported_point_formats extension ssl_cli.c:0517: |3| client hello, adding encrypt_then_mac extension ssl_cli.c:0551: |3| client hello, adding extended_master_secret extension ssl_cli.c:0585: |3| client hello, adding session ticket extension ssl_cli.c:1070: |3| client hello, total extension length: 128 ssl_tls.c:3184: |2| => write handshake message ssl_tls.c:3343: |2| => write record ssl_tls.c:3420: |3| output record: msgtype = 22, version = [3:1], msglen = 429 ssl_tls.c:3425: |4| dumping 'output record sent to network' (434 bytes) ssl_tls.c:3425: |4| 0000: 16 03 01 01 ad 01 00 01 a9 03 03 5b d9 84 1f 2f ...........[.../ ssl_tls.c:3425: |4| 0010: 33 35 54 ea 0b 5d e1 dc 42 0c 99 d4 a1 25 72 6f 35T..]..B....%ro ssl_tls.c:3425: |4| 0020: 0f cf 8e 56 0d ab f5 10 e4 47 46 00 01 00 cc a8 ...V.....GF..... ssl_tls.c:3425: |4| 0030: cc a9 cc aa c0 2c c0 30 00 9f c0 ad c0 9f c0 24 .....,.0.......$ ssl_tls.c:3425: |4| 0040: c0 28 00 6b c0 0a c0 14 00 39 c0 af c0 a3 c0 87 .(.k.....9...... ssl_tls.c:3425: |4| 0050: c0 8b c0 7d c0 73 c0 77 00 c4 00 88 c0 2b c0 2f ...}.s.w.....+./ ssl_tls.c:3425: |4| 0060: 00 9e c0 ac c0 9e c0 23 c0 27 00 67 c0 09 c0 13 .......#.'.g.... ssl_tls.c:3425: |4| 0070: 00 33 c0 ae c0 a2 c0 86 c0 8a c0 7c c0 72 c0 76 .3.........|.r.v ssl_tls.c:3425: |4| 0080: 00 be 00 45 cc ac cc ad 00 ab c0 a7 c0 38 00 b3 ...E.........8.. ssl_tls.c:3425: |4| 0090: c0 36 00 91 c0 91 c0 9b c0 97 c0 ab 00 aa c0 a6 .6.............. ssl_tls.c:3425: |4| 00a0: c0 37 00 b2 c0 35 00 90 c0 90 c0 96 c0 9a c0 aa .7...5.......... ssl_tls.c:3425: |4| 00b0: 00 9d c0 9d 00 3d 00 35 c0 32 c0 2a c0 0f c0 2e .....=.5.2.*.... ssl_tls.c:3425: |4| 00c0: c0 26 c0 05 c0 a1 c0 7b 00 c0 00 84 c0 8d c0 79 .&.....{.......y ssl_tls.c:3425: |4| 00d0: c0 89 c0 75 00 9c c0 9c 00 3c 00 2f c0 31 c0 29 ...u.....<./.1.) ssl_tls.c:3425: |4| 00e0: c0 0e c0 2d c0 25 c0 04 c0 a0 c0 7a 00 ba 00 41 ...-.%.....z...A ssl_tls.c:3425: |4| 00f0: c0 8c c0 78 c0 88 c0 74 cc ae 00 ad 00 b7 00 95 ...x...t........ ssl_tls.c:3425: |4| 0100: c0 93 c0 99 00 ac 00 b6 00 94 c0 92 c0 98 cc ab ................ ssl_tls.c:3425: |4| 0110: 00 a9 c0 a5 00 af 00 8d c0 8f c0 95 c0 a9 00 a8 ................ ssl_tls.c:3425: |4| 0120: c0 a4 00 ae 00 8c c0 8e c0 94 c0 a8 00 ff 01 00 ................ ssl_tls.c:3425: |4| 0130: 00 80 00 00 00 34 00 32 00 00 2f 61 32 67 37 74 .....4.2../a2g7t ssl_tls.c:3425: |4| 0140: 77 6d 71 6f 37 68 67 38 32 2d 61 74 73 2e 69 6f wmqo7hg82-ats.iohttp://wmqo7hg82-ats.io/ ssl_tls.c:3425: |4| 0150: 74 2e 61 70 2d 73 6f 75 74 68 2d 31 2e 61 6d 61 t.ap-south-1.ama ssl_tls.c:3425: |4| 0160: 7a 6f 6e 61 77 73 2e 63 6f 6d 00 0d 00 16 00 14 zonaws.com...... ssl_tls.c:3425: |4| 0170: 06 03 06 01 05 03 05 01 04 03 04 01 03 03 03 01 ................ ssl_tls.c:3425: |4| 0180: 02 03 02 01 00 0a 00 18 00 16 00 19 00 1c 00 18 ................ ssl_tls.c:3425: |4| 0190: 00 1b 00 17 00 16 00 1a 00 15 00 14 00 13 00 12 ................ ssl_tls.c:3425: |4| 01a0: 00 0b 00 02 01 00 00 16 00 00 00 17 00 00 00 23 ...............# ssl_tls.c:3425: |4| 01b0: 00 00 .. ssl_tls.c:2755: |2| => flush output ssl_tls.c:2773: |2| message length: 434, out_left: 434 ssl_tls.c:2779: |2| ssl->f_send() returned 434 (-0xfffffe4e) ssl_tls.c:2807: |2| <= flush output ssl_tls.c:3476: |2| <= write record ssl_tls.c:3320: |2| <= write handshake message ssl_cli.c:1106: |2| <= write client hello ssl_cli.c:3510: |2| client state: 2 ssl_tls.c:2755: |2| => flush output ssl_tls.c:2767: |2| <= flush output ssl_cli.c:1499: |2| => parse server hello ssl_tls.c:4311: |2| => read record ssl_tls.c:2536: |2| => fetch input ssl_tls.c:2696: |2| in_left: 0, nb_want: 5 ssl_tls.c:2720: |2| in_left: 0, nb_want: 5 ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned -80 (-0x0050) ssl_tls.c:4973: |1| mbedtls_ssl_fetch_input() returned -80 (-0x0050) ssl_tls.c:4344: |1| ssl_get_next_record() returned -80 (-0x0050) ssl_cli.c:1506: |1| mbedtls_ssl_read_record() returned -80 (-0x0050) ssl_tls.c:8094: |2| <= handshake failed ! mbedtls_ssl_handshake returned -0x50
Last error was: -0x50 - NET - Connection was reset by peer
ssl_tls.c:8934: |2| => free ssl_tls.c:8999: |2| <= free
I request you to help me in resolving this issue.
Regards, Srinivas. [cid:ef4e58a5-df1a-47f0-90b9-c467a93244c2]