连接到AWS IoT时失败,警报错误= 42
问题描述:
我试图用AWS IoT C SDK中的wolfSSL替换mbedTLS网络层。连接到AWS IoT时失败,警报错误= 42
SDK附带的简单subscribe_publish_sample演示在使用mbedTLS时可以在Linux主机上正常工作。
但是,我用wolfSSL替换它,我得到一个失败,错误= 42,这似乎是服务器拒绝客户端证书...?
到AWS服务器的TCP连接建立后,再与wolfSSL会话相关的插座上,将服务器的根CA,客户端的证书,并添加到会话私有密钥(我删除了错误处理代码):
const int cert_container_format = SSL_FILETYPE_PEM;
WOLFSSL_METHOD * const method = wolfTLSv1_2_client_method();
hentry = gethostbyname(host_url);
memcpy(&sock_addr.sin_addr.s_addr, *hentry->h_addr_list, hentry->h_length);
sock_addr.sin_family = hentry->h_addrtype;
socket_fd = socket(sock_addr.sin_family, SOCK_STREAM, 0);
sock_addr.sin_port = htons(host_port);
connect(socket_fd, (struct sockaddr *)&sock_addr, sizeof(sock_addr));
wolfSSL_Init();
ssl_ctx = wolfSSL_CTX_new(method);
session = wolfSSL_new(ssl_ctx);
result = wolfSSL_CTX_load_verify_locations(ssl_ctx, root_ca_filepath, NULL);
result = wolfSSL_CTX_use_PrivateKey_file(ssl_ctx, dev_prvkey_filepath,
cert_container_format);
result = wolfSSL_CTX_use_certificate_file(ssl_ctx, dev_cert_filepath, cert_container_format);
wolfSSL_set_fd(session, socket_fd);
result = wolfSSL_connect(session);
这里是完全转储调试启用:
AWS IoT SDK Version 2.1.1-
DEBUG: main L#166 rootCA /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-rootca.pem
DEBUG: main L#167 clientCRT /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-cert.pem
DEBUG: main L#168 clientKey /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-prvkey.pem
Connecting...
URL: a3i4lmgkxatoyr.iot.us-west-2.amazonaws.com
name: dualstack.iotmoonraker-u-elb-1w8qnw1336zq-1186348092.us-west-2.elb.amazonaws.com, len: 4, type: 2
alternate names:
a3i4lmgkxatoyr.iot.us-west-2.amazonaws.com
iotmoonraker.us-west-2.prod.iot.us-west-2.amazonaws.com
addresses:
52.10.19.111
52.41.23.91
34.210.178.78
35.165.44.84
52.25.57.203
35.160.71.83
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
DEBUG: iot_tls_connect L#271 root CA file: /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-rootca.pem
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Parsed new CA
Freeing Parsed CA
Freeing der CA
OK Freeing der CA
wolfSSL Leaving AddCA, return 0
Processed a CA
Processed at least one valid CA. Other stuff OK
DEBUG: iot_tls_connect L#280 dev private key file: /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-prvkey.pem
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering PemToDer
DEBUG: iot_tls_connect L#290 dev certificate file: /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-cert.pem
wolfSSL Entering wolfSSL_CTX_use_certificate_file
Getting dynamic buffer
wolfSSL Entering PemToDer
Checking cert signature type
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Not ECDSA cert signature
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
wolfSSL Entering SSL_connect()
Adding signature algorithms extension
growing output buffer
Signature Algorithms extension to write
Elliptic Curves extension to write
Shrinking output buffer
connect state: CLIENT_HELLO_SENT
growing input buffer
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
Put another cert into chain
Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
Unsupported name type, skipping
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
wolfSSL Entering ConfirmSignature
wolfSSL Leaving ConfirmSignature, return 0
Adding CA from chain
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
Unsupported name type, skipping
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Parsed new CA
Freeing Parsed CA
Freeing der CA
OK Freeing der CA
wolfSSL Leaving AddCA, return 0
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
wolfSSL Entering ConfirmSignature
wolfSSL Leaving ConfirmSignature, return 0
Verified Peer's cert
wolfSSL Leaving ProcessPeerCerts, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server key exchange
wolfSSL Entering DoServerKeyExchange
wolfSSL Entering EccVerify
wolfSSL Leaving EccVerify, return 0
wolfSSL Leaving DoServerKeyExchange, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate request
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello done
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
connect state: HELLO_AGAIN
connect state: HELLO_AGAIN_REPLY
connect state: FIRST_REPLY_DONE
growing output buffer
Shrinking output buffer
sent: certificate
connect state: FIRST_REPLY_FIRST
wolfSSL Entering SendClientKeyExchange
wolfSSL Entering EccMakeKey
wolfSSL Leaving EccMakeKey, return 0
wolfSSL Entering EccSharedSecret
wolfSSL Leaving EccSharedSecret, return 0
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendClientKeyExchange, return 0
sent: client key exchange
connect state: FIRST_REPLY_SECOND
wolfSSL Entering SendCertificateVerify
sent: certificate verify
connect state: FIRST_REPLY_THIRD
growing output buffer
Shrinking output buffer
sent: change cipher spec
connect state: FIRST_REPLY_FOURTH
growing output buffer
wolfSSL Entering BuildMessage
wolfSSL Leaving BuildMessage, return 0
Shrinking output buffer
sent: finished
connect state: FINISHED_DONE
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 42
wolfSSL error occurred, error = -313
ERROR: iot_tls_connect L#326 wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -313
failure creating SSL connection to server [-313]
wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
Shrinking input buffer
wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup
wolfSSL Entering wolfCrypt_Cleanup
wolfSSL Entering SSL_shutdown()
wolfSSL Entering wolfSSL_Cleanup
ERROR: main L#197 Error(-4) connecting to a3i4lmgkxatoyr.iot.us-west-2.amazonaws.com:8883
这里是Wireshark的捕获,同时运行演示:
324 43.301028126 147.34.2.16 → 134.86.9.42 DNS 546 Standard query response 0x6223 A a3i4lmgkxatoyr.iot.us-west-2.amazonaws.com CNAME iotmoonraker.us-west-2.prod.iot.us-west-2.amazonaws.com CNAME dualstack.iotmoonraker-u-elb-1w8qnw1336zq-1186348092.us-west-2.elb.amazonaws.com A 52.10.19.111 A 52.25.57.203 A 35.165.44.84 A 35.160.71.83 A 34.210.178.78 A 52.41.23.91 NS ns-560.awsdns-06.net NS ns-1475.awsdns-56.org NS ns-1
769.awsdns-29.co.uk NS ns-332.awsdns-41.com A 205.251.198.233 AAAA 2600:9000:5306:e900::1 A 205.251.193.76 AAAA 2600:9000:5301:4c00::1
325 43.301247236 134.86.9.42 → 52.10.19.111 TCP 74 40282 → 8883 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1333683979 TSecr=0 WS=128
328 43.412499273 52.10.19.111 → 134.86.9.42 TCP 66 8883 → 40282 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1360 SACK_PERM=1 WS=256
329 43.412535130 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [ACK] Seq=1 Ack=1 Win=29312 Len=0
336 43.413988506 134.86.9.42 → 52.10.19.111 SSL 196 Client Hello
339 43.414370228 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=1 Ack=143 Win=5888 Len=0
341 43.533620599 52.10.19.111 → 134.86.9.42 TCP 1414 [TCP segment of a reassembled PDU]
342 43.533659332 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [ACK] Seq=143 Ack=1361 Win=32128 Len=0
343 43.533830301 52.10.19.111 → 134.86.9.42 TLSv1.2 1283 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
344 43.533876234 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [ACK] Seq=143 Ack=2590 Win=35072 Len=0
349 43.545353568 134.86.9.42 → 52.10.19.111 TLSv1.2 66 Certificate
350 43.545651974 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2590 Ack=155 Win=5888 Len=0
351 43.552906179 134.86.9.42 → 52.10.19.111 TLSv1.2 129 Client Key Exchange
352 43.553226294 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2590 Ack=230 Win=5888 Len=0
353 43.553237461 134.86.9.42 → 52.10.19.111 TLSv1.2 60 Change Cipher Spec
354 43.553645295 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2590 Ack=236 Win=5888 Len=0
355 43.553661141 134.86.9.42 → 52.10.19.111 TLSv1.2 99 Hello Request, Hello Request
356 43.554058924 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2590 Ack=281 Win=5888 Len=0
367 43.659283864 52.10.19.111 → 134.86.9.42 TLSv1.2 61 Alert (Level: Fatal, Description: Bad Certificate)
368 43.659391034 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [FIN, ACK] Seq=281 Ack=2597 Win=35072 Len=0
369 43.659472966 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [FIN, ACK] Seq=2597 Ack=281 Win=5888 Len=0
371 43.659485750 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [ACK] Seq=282 Ack=2598 Win=35072 Len=0
372 43.659701144 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2598 Ack=282 Win=5888 Len=0
当使用mbedTLS时,使用完全相同的证书/密钥。
我很明显在这里失去了一些东西,对某些人来说也可能很明显,但我没有看到它。
(也张贴在wolfSSL论坛[https://www.wolfssl.com/forums/topic1122-failure-with-alert-error-42-when-connecting-to-aws-iot.html],但我想我会broden观众)
答
OK,事实证明,我不得不加载证书/键之前创建的SSL会话,不后:
ssl_ctx = wolfSSL_CTX_new(method);
result = wolfSSL_CTX_load_verify_locations(ssl_ctx, root_ca_filepath, NULL);
result = wolfSSL_CTX_use_PrivateKey_file(ssl_ctx, dev_prvkey_filepath,
cert_container_format);
result = wolfSSL_CTX_use_certificate_file(ssl_ctx, dev_cert_filepath, cert_container_format);
session = wolfSSL_new(ssl_ctx);
代替:
ssl_ctx = wolfSSL_CTX_new(method);
session = wolfSSL_new(ssl_ctx);
result = wolfSSL_CTX_load_verify_locations(ssl_ctx, root_ca_filepath, NULL);
result = wolfSSL_CTX_use_PrivateKey_file(ssl_ctx, dev_prvkey_filepath,
cert_container_format);
result = wolfSSL_CTX_use_certificate_file(ssl_ctx, dev_cert_filepath, cert_container_format);
+0
Hi @Ben,以及其他读者。把CTX想象成一个工厂。工厂被用来启动SSL对象。在调用wolfSSL_new()时创建一个SSL对象;在这一点上,如果你想修改那个SSL对象,你必须使用''''''''''''wolfSSL_CTX_''' API切换到SSL ONLY API的IE:'''wolfSSL_CTX_use_PrivateKey_file'''等同于''wolfSSL_use_PrivateKey_file'''后SSL对象被创建!这允许自定义修改对象后期创建。 '''_CTX_''' API修改了工厂,SSL ONLY API在创建后修改了一个对象。合理? – Kaleb
+0
它的确如此,谢谢你的解释。 – Ben
+0
随时!如果有其他问题出现,并且您更愿意将问题发布到堆栈以便其他人获益,请随时发送邮件至[email protected],并附带链接至堆栈问题。我们的工程师之一将很乐意发布回复! – Kaleb
答
这是最有可能失败的协商密码使用。
此主题可能会帮助您解决此问题。相关部分:
“-313”表示服务器已向客户端发回致命警报。如果发生ClientHello消息后发生这种情况,这很可能意味着客户端不会广播对服务器要求的密码套件或扩展的支持。
- 如果使用ECC,服务器要求启用Supported Curves Extension。用“--enable-supportedcurves”编译wolfSSL来解决。
- wolfSSL默认情况下禁用静态密钥密码套件以保证安全。请参阅自述文件顶部的注释以获取有关如果服务器需要它们时重新启用静态密钥密码套件的说明。
使用nmap确定Amazon支持哪些密码套件,然后在WolfSSL中启用最好的密码套件。
nmap --script ssl-enum-ciphers -p 443 <host>
+0
是的,但是42代码意味着服务器拒绝了证书:'bad_certificate = 42',如果您查看wireshark转储:'367 52.10.19.111→134.86.9.42 TLSv1。 2 61警报(级别:致命,说明:不合格证书)'和按照TLS 1.2 RFC:'bad_certificate证书已损坏,包含未正确验证的签名等。' 我检查了支持的密码列表运行时的wolfSSL以及AWS提出的密码列表,其中一些匹配,所以我想他们应该能够协商一个...? – Ben
啊, 42:生命终极问题的答案,宇宙和**一切**。 – zaph
我的猜测是,如果他们为错误#返回42,这意味着在调用层次结构中的某个时刻,真正的错误会丢失。虽然我们可以假设一个SDK的大多数用户会知道42是什么意思......对于那些可能不会...... – FastAl
或者开发人员不知道42是什么意思......应该有一个残忍的笑话为了可用性的目的而跳过它;-)有点像'什么样的错误足以胜任#13?' – FastAl