I recently started working on mbedtls for AWS IoT SDK based applications.
Issue: I am planning to run AWS IoT SDK sample applications on my memory constrained (6MB RAM) embedded hardware
Usage: AWS IOT SDK(3.0.1 release version) and mbedtls (2.16.5)
Note: This filesystem is Read-Only file system.
I have tried on Ubuntu 18.04 setup first to make things clear. It was not working with "AmazonRootCA1.pem" and working perfectly fine with cross-signed "G2-RootCA1.pem".
So I have cross-compiled for my target board using ARM toolchain and copied the binary and certificates.
I have downloaded device certificate, private key and RootCA from AWS IOT Core to my device. Nothing on
my device except copying the above 3 files.
On my Embedded platform, whenever run my application, mbedtls is throwing the error "mbedtls_ssl_handshake returned -0x50"
So I have enabled the debug in mbedtls library and ran below command to dig into the problem.
Output:
$ ./ssl_client2 server_name=
a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com serv
er_port=443 ca_file=/certs/G2-RootCA1.pem crt_file=/certs/4960bd2f6b-
certificate
.pem.crt key_file=/certs/4960bd2f6b-private.pem.key
. Seeding the random number generator... ok
. Loading the CA root certificate ... ok (0 skipped)
. Loading the client cert. and key... ok
. Connecting to tcp/a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com/443... ok
. Setting up the SSL/TLS structure...ssl_tls.c:0081: |3| set_timer to 0 ms
ok
. Performing the SSL/TLS handshake...ssl_tls.c:8084: |2| => handshake
ssl_cli.c:3510: |2| client state: 0
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_cli.c:3510: |2| client state: 1
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_cli.c:0774: |2| => write client hello
ssl_cli.c:0811: |3| client hello, max version: [3:3]
ssl_cli.c:0703: |3| client hello, current time: 1540981791
ssl_cli.c:0821: |3| dumping 'client hello, random bytes' (32 bytes)
ssl_cli.c:0821: |3| 0000: 5b d9 84 1f 2f 33 35 54 ea 0b 5d e1 dc 42 0c 99 [.../35T..]..B..
ssl_cli.c:0821: |3| 0010: d4 a1 25 72 6f 0f cf 8e 56 0d ab f5 10 e4 47 46 ..%ro...V.....GF
ssl_cli.c:0874: |3| client hello, session id len.: 0
ssl_cli.c:0875: |3| dumping 'client hello, session id' (0 bytes)
ssl_cli.c:0921: |3| client hello, add ciphersuite: cca8
ssl_cli.c:0921: |3| client hello, add ciphersuite: cca9
ssl_cli.c:0921: |3| client hello, add ciphersuite: ccaa
ssl_cli.c:0921: |3| client hello, add ciphersuite: c02c
ssl_cli.c:0921: |3| client hello, add ciphersuite: c030
ssl_cli.c:0921: |3| client hello, add ciphersuite: 009f
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ad
ssl_cli.c:0921: |3| client hello, add ciphersuite: c09f
ssl_cli.c:0921: |3| client hello, add ciphersuite: c024
ssl_cli.c:0921: |3| client hello, add ciphersuite: c028
ssl_cli.c:0921: |3| client hello, add ciphersuite: 006b
ssl_cli.c:0921: |3| client hello, add ciphersuite: c00a
ssl_cli.c:0921: |3| client hello, add ciphersuite: c014
ssl_cli.c:0921: |3| client hello, add ciphersuite: 0039
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0af
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a3
ssl_cli.c:0921: |3| client hello, add ciphersuite: c087
ssl_cli.c:0921: |3| client hello, add ciphersuite: c08b
ssl_cli.c:0921: |3| client hello, add ciphersuite: c07d
ssl_cli.c:0921: |3| client hello, add ciphersuite: c073
ssl_cli.c:0921: |3| client hello, add ciphersuite: c077
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00c4
ssl_cli.c:0921: |3| client hello, add ciphersuite: 0088
ssl_cli.c:0921: |3| client hello, add ciphersuite: c02b
ssl_cli.c:0921: |3| client hello, add ciphersuite: c02f
ssl_cli.c:0921: |3| client hello, add ciphersuite: 009e
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ac
ssl_cli.c:0921: |3| client hello, add ciphersuite: c09e
ssl_cli.c:0921: |3| client hello, add ciphersuite: c023
ssl_cli.c:0921: |3| client hello, add ciphersuite: c027
ssl_cli.c:0921: |3| client hello, add ciphersuite: 0067
ssl_cli.c:0921: |3| client hello, add ciphersuite: c009
ssl_cli.c:0921: |3| client hello, add ciphersuite: c013
ssl_cli.c:0921: |3| client hello, add ciphersuite: 0033
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ae
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a2
ssl_cli.c:0921: |3| client hello, add ciphersuite: c086
ssl_cli.c:0921: |3| client hello, add ciphersuite: c08a
ssl_cli.c:0921: |3| client hello, add ciphersuite: c07c
ssl_cli.c:0921: |3| client hello, add ciphersuite: c072
ssl_cli.c:0921: |3| client hello, add ciphersuite: c076
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00be
ssl_cli.c:0921: |3| client hello, add ciphersuite: 0045
ssl_cli.c:0921: |3| client hello, add ciphersuite: ccac
ssl_cli.c:0921: |3| client hello, add ciphersuite: ccad
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ab
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a7
ssl_cli.c:0921: |3| client hello, add ciphersuite: c038
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b3
ssl_cli.c:0921: |3| client hello, add ciphersuite: c036
ssl_cli.c:0921: |3| client hello, add ciphersuite: 0091
ssl_cli.c:0921: |3| client hello, add ciphersuite: c091
ssl_cli.c:0921: |3| client hello, add ciphersuite: c09b
ssl_cli.c:0921: |3| client hello, add ciphersuite: c097
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ab
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00aa
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a6
ssl_cli.c:0921: |3| client hello, add ciphersuite: c037
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b2
ssl_cli.c:0921: |3| client hello, add ciphersuite: c035
ssl_cli.c:0921: |3| client hello, add ciphersuite: 0090
ssl_cli.c:0921: |3| client hello, add ciphersuite: c090
ssl_cli.c:0921: |3| client hello, add ciphersuite: c096
ssl_cli.c:0921: |3| client hello, add ciphersuite: c09a
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0aa
ssl_cli.c:0921: |3| client hello, add ciphersuite: 009d
ssl_cli.c:0921: |3| client hello, add ciphersuite: c09d
ssl_cli.c:0921: |3| client hello, add ciphersuite: 003d
ssl_cli.c:0921: |3| client hello, add ciphersuite: 0035
ssl_cli.c:0921: |3| client hello, add ciphersuite: c032
ssl_cli.c:0921: |3| client hello, add ciphersuite: c02a
ssl_cli.c:0921: |3| client hello, add ciphersuite: c00f
ssl_cli.c:0921: |3| client hello, add ciphersuite: c02e
ssl_cli.c:0921: |3| client hello, add ciphersuite: c026
ssl_cli.c:0921: |3| client hello, add ciphersuite: c005
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a1
ssl_cli.c:0921: |3| client hello, add ciphersuite: c07b
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00c0
ssl_cli.c:0921: |3| client hello, add ciphersuite: 0084
ssl_cli.c:0921: |3| client hello, add ciphersuite: c08d
ssl_cli.c:0921: |3| client hello, add ciphersuite: c079
ssl_cli.c:0921: |3| client hello, add ciphersuite: c089
ssl_cli.c:0921: |3| client hello, add ciphersuite: c075
ssl_cli.c:0921: |3| client hello, add ciphersuite: 009c
ssl_cli.c:0921: |3| client hello, add ciphersuite: c09c
ssl_cli.c:0921: |3| client hello, add ciphersuite: 003c
ssl_cli.c:0921: |3| client hello, add ciphersuite: 002f
ssl_cli.c:0921: |3| client hello, add ciphersuite: c031
ssl_cli.c:0921: |3| client hello, add ciphersuite: c029
ssl_cli.c:0921: |3| client hello, add ciphersuite: c00e
ssl_cli.c:0921: |3| client hello, add ciphersuite: c02d
ssl_cli.c:0921: |3| client hello, add ciphersuite: c025
ssl_cli.c:0921: |3| client hello, add ciphersuite: c004
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a0
ssl_cli.c:0921: |3| client hello, add ciphersuite: c07a
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ba
ssl_cli.c:0921: |3| client hello, add ciphersuite: 0041
ssl_cli.c:0921: |3| client hello, add ciphersuite: c08c
ssl_cli.c:0921: |3| client hello, add ciphersuite: c078
ssl_cli.c:0921: |3| client hello, add ciphersuite: c088
ssl_cli.c:0921: |3| client hello, add ciphersuite: c074
ssl_cli.c:0921: |3| client hello, add ciphersuite: ccae
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ad
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b7
ssl_cli.c:0921: |3| client hello, add ciphersuite: 0095
ssl_cli.c:0921: |3| client hello, add ciphersuite: c093
ssl_cli.c:0921: |3| client hello, add ciphersuite: c099
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ac
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b6
ssl_cli.c:0921: |3| client hello, add ciphersuite: 0094
ssl_cli.c:0921: |3| client hello, add ciphersuite: c092
ssl_cli.c:0921: |3| client hello, add ciphersuite: c098
ssl_cli.c:0921: |3| client hello, add ciphersuite: ccab
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00a9
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a5
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00af
ssl_cli.c:0921: |3| client hello, add ciphersuite: 008d
ssl_cli.c:0921: |3| client hello, add ciphersuite: c08f
ssl_cli.c:0921: |3| client hello, add ciphersuite: c095
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a9
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00a8
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a4
ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ae
ssl_cli.c:0921: |3| client hello, add ciphersuite: 008c
ssl_cli.c:0921: |3| client hello, add ciphersuite: c08e
ssl_cli.c:0921: |3| client hello, add ciphersuite: c094
ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a8
ssl_cli.c:0934: |3| client hello, got 127 ciphersuites (excluding SCSVs)
ssl_cli.c:0943: |3| adding EMPTY_RENEGOTIATION_INFO_SCSV
ssl_cli.c:0992: |3| client hello, compress len.: 1
ssl_cli.c:0993: |3| client hello, compress alg.: 0
ssl_cli.c:0068: |3| client hello, adding server name extension: a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com
ssl_cli.c:0186: |3| client hello, adding signature_algorithms extension
ssl_cli.c:0271: |3| client hello, adding supported_elliptic_curves extension
ssl_cli.c:0336: |3| client hello, adding supported_point_formats extension
ssl_cli.c:0517: |3| client hello, adding encrypt_then_mac extension
ssl_cli.c:0551: |3| client hello, adding extended_master_secret extension
ssl_cli.c:0585: |3| client hello, adding session ticket extension
ssl_cli.c:1070: |3| client hello, total extension length: 128
ssl_tls.c:3184: |2| => write handshake message
ssl_tls.c:3343: |2| => write record
ssl_tls.c:3420: |3| output record: msgtype = 22, version = [3:1], msglen = 429
ssl_tls.c:3425: |4| dumping 'output record sent to network' (434 bytes)
ssl_tls.c:3425: |4| 0000: 16 03 01 01 ad 01 00 01 a9 03 03 5b d9 84 1f 2f ...........[.../
ssl_tls.c:3425: |4| 0010: 33 35 54 ea 0b 5d e1 dc 42 0c 99 d4 a1 25 72 6f 35T..]..B....%ro
ssl_tls.c:3425: |4| 0020: 0f cf 8e 56 0d ab f5 10 e4 47 46 00 01 00 cc a8 ...V.....GF.....
ssl_tls.c:3425: |4| 0030: cc a9 cc aa c0 2c c0 30 00 9f c0 ad c0 9f c0 24 .....,.0.......$
ssl_tls.c:3425: |4| 0040: c0 28 00 6b c0 0a c0 14 00 39 c0 af c0 a3 c0 87 .(.k.....9......
ssl_tls.c:3425: |4| 0050: c0 8b c0 7d c0 73 c0 77 00 c4 00 88 c0 2b c0 2f ...}.s.w.....+./
ssl_tls.c:3425: |4| 0060: 00 9e c0 ac c0 9e c0 23 c0 27 00 67 c0 09 c0 13 .......#.'.g....
ssl_tls.c:3425: |4| 0070: 00 33 c0 ae c0 a2 c0 86 c0 8a c0 7c c0 72 c0 76 .3.........|.r.v
ssl_tls.c:3425: |4| 0080: 00 be 00 45 cc ac cc ad 00 ab c0 a7 c0 38 00 b3 ...E.........8..
ssl_tls.c:3425: |4| 0090: c0 36 00 91 c0 91 c0 9b c0 97 c0 ab 00 aa c0 a6 .6..............
ssl_tls.c:3425: |4| 00a0: c0 37 00 b2 c0 35 00 90 c0 90 c0 96 c0 9a c0 aa .7...5..........
ssl_tls.c:3425: |4| 00b0: 00 9d c0 9d 00 3d 00 35 c0 32 c0 2a c0 0f c0 2e .....=.5.2.*....
ssl_tls.c:3425: |4| 00c0: c0 26 c0 05 c0 a1 c0 7b 00 c0 00 84 c0 8d c0 79 .&.....{.......y
ssl_tls.c:3425: |4| 00d0: c0 89 c0 75 00 9c c0 9c 00 3c 00 2f c0 31 c0 29 ...u.....<./.1.)
ssl_tls.c:3425: |4| 00e0: c0 0e c0 2d c0 25 c0 04 c0 a0 c0 7a 00 ba 00 41 ...-.%.....z...A
ssl_tls.c:3425: |4| 00f0: c0 8c c0 78 c0 88 c0 74 cc ae 00 ad 00 b7 00 95 ...x...t........
ssl_tls.c:3425: |4| 0100: c0 93 c0 99 00 ac 00 b6 00 94 c0 92 c0 98 cc ab ................
ssl_tls.c:3425: |4| 0110: 00 a9 c0 a5 00 af 00 8d c0 8f c0 95 c0 a9 00 a8 ................
ssl_tls.c:3425: |4| 0120: c0 a4 00 ae 00 8c c0 8e c0 94 c0 a8 00 ff 01 00 ................
ssl_tls.c:3425: |4| 0130: 00 80 00 00 00 34 00 32 00 00 2f 61 32 67 37 74 .....4.2../a2g7t
ssl_tls.c:3425: |4| 0140: 77 6d 71 6f 37 68 67 38 32 2d 61 74 73 2e 69 6f wmqo7hg82-ats.io
ssl_tls.c:3425: |4| 0150: 74 2e 61 70 2d 73 6f 75 74 68 2d 31 2e 61 6d 61 t.ap-south-1.ama
ssl_tls.c:3425: |4| 0160: 7a 6f 6e 61 77 73 2e 63 6f 6d 00 0d 00 16 00 14 zonaws.com......
ssl_tls.c:3425: |4| 0170: 06 03 06 01 05 03 05 01 04 03 04 01 03 03 03 01 ................
ssl_tls.c:3425: |4| 0180: 02 03 02 01 00 0a 00 18 00 16 00 19 00 1c 00 18 ................
ssl_tls.c:3425: |4| 0190: 00 1b 00 17 00 16 00 1a 00 15 00 14 00 13 00 12 ................
ssl_tls.c:3425: |4| 01a0: 00 0b 00 02 01 00 00 16 00 00 00 17 00 00 00 23 ...............#
ssl_tls.c:3425: |4| 01b0: 00 00 ..
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2773: |2| message length: 434, out_left: 434
ssl_tls.c:2779: |2| ssl->f_send() returned 434 (-0xfffffe4e)
ssl_tls.c:2807: |2| <= flush output
ssl_tls.c:3476: |2| <= write record
ssl_tls.c:3320: |2| <= write handshake message
ssl_cli.c:1106: |2| <= write client hello
ssl_cli.c:3510: |2| client state: 2
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_cli.c:1499: |2| => parse server hello
ssl_tls.c:4311: |2| => read record
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2696: |2| in_left: 0, nb_want: 5
ssl_tls.c:2720: |2| in_left: 0, nb_want: 5
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned -80 (-0x0050)
ssl_tls.c:4973: |1| mbedtls_ssl_fetch_input() returned -80 (-0x0050)
ssl_tls.c:4344: |1| ssl_get_next_record() returned -80 (-0x0050)
ssl_cli.c:1506: |1| mbedtls_ssl_read_record() returned -80 (-0x0050)
ssl_tls.c:8094: |2| <= handshake
failed
! mbedtls_ssl_handshake returned -0x50
Last error was: -0x50 - NET - Connection was reset by peer
ssl_tls.c:8934: |2| => free
ssl_tls.c:8999: |2| <= free
I request you to help me in resolving this issue.