連接到 AWS IoT 時出現警報失敗,錯誤 = 42
[英]Failure with Alert, error = 42 when connecting to AWS IoT
問題描述
我正在嘗試用 AWS IoT C SDK 中的 wolfSSL 替換 mbedTLS 網絡層。
使用 mbedTLS 時,SDK 附帶的簡單 subscribe_publish_sample 演示在 Linux 主機上運行良好。
但是,當我用 wolfSSL 替換它時,我遇到了錯誤 = 42 的失敗,這似乎是服務器拒絕了客戶端證書......?
建立到 AWS 服務器的 TCP 連接,然后將與 wolfSSL 會話關聯的套接字,以及服務器的 rootCA、客戶端的證書和私鑰添加到會話中(我刪除了錯誤處理代碼):
const int cert_container_format = SSL_FILETYPE_PEM;
WOLFSSL_METHOD * const method = wolfTLSv1_2_client_method();
hentry = gethostbyname(host_url);
memcpy(&sock_addr.sin_addr.s_addr, *hentry->h_addr_list, hentry->h_length);
sock_addr.sin_family = hentry->h_addrtype;
socket_fd = socket(sock_addr.sin_family, SOCK_STREAM, 0);
sock_addr.sin_port = htons(host_port);
connect(socket_fd, (struct sockaddr *)&sock_addr, sizeof(sock_addr));
wolfSSL_Init();
ssl_ctx = wolfSSL_CTX_new(method);
session = wolfSSL_new(ssl_ctx);
result = wolfSSL_CTX_load_verify_locations(ssl_ctx, root_ca_filepath, NULL);
result = wolfSSL_CTX_use_PrivateKey_file(ssl_ctx, dev_prvkey_filepath,
cert_container_format);
result = wolfSSL_CTX_use_certificate_file(ssl_ctx, dev_cert_filepath, cert_container_format);
wolfSSL_set_fd(session, socket_fd);
result = wolfSSL_connect(session);
這是啟用調試的完整轉儲:
AWS IoT SDK Version 2.1.1-
DEBUG: main L#166 rootCA /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-rootca.pem
DEBUG: main L#167 clientCRT /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-cert.pem
DEBUG: main L#168 clientKey /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-prvkey.pem
Connecting...
URL: a3i4lmgkxatoyr.iot.us-west-2.amazonaws.com
name: dualstack.iotmoonraker-u-elb-1w8qnw1336zq-1186348092.us-west-2.elb.amazonaws.com, len: 4, type: 2
alternate names:
a3i4lmgkxatoyr.iot.us-west-2.amazonaws.com
iotmoonraker.us-west-2.prod.iot.us-west-2.amazonaws.com
addresses:
52.10.19.111
52.41.23.91
34.210.178.78
35.165.44.84
52.25.57.203
35.160.71.83
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
DEBUG: iot_tls_connect L#271 root CA file: /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-rootca.pem
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Parsed new CA
Freeing Parsed CA
Freeing der CA
OK Freeing der CA
wolfSSL Leaving AddCA, return 0
Processed a CA
Processed at least one valid CA. Other stuff OK
DEBUG: iot_tls_connect L#280 dev private key file: /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-prvkey.pem
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering PemToDer
DEBUG: iot_tls_connect L#290 dev certificate file: /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-cert.pem
wolfSSL Entering wolfSSL_CTX_use_certificate_file
Getting dynamic buffer
wolfSSL Entering PemToDer
Checking cert signature type
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Not ECDSA cert signature
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
wolfSSL Entering SSL_connect()
Adding signature algorithms extension
growing output buffer
Signature Algorithms extension to write
Elliptic Curves extension to write
Shrinking output buffer
connect state: CLIENT_HELLO_SENT
growing input buffer
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
Put another cert into chain
Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
Unsupported name type, skipping
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
wolfSSL Entering ConfirmSignature
wolfSSL Leaving ConfirmSignature, return 0
Adding CA from chain
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
Unsupported name type, skipping
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Parsed new CA
Freeing Parsed CA
Freeing der CA
OK Freeing der CA
wolfSSL Leaving AddCA, return 0
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
wolfSSL Entering ConfirmSignature
wolfSSL Leaving ConfirmSignature, return 0
Verified Peer's cert
wolfSSL Leaving ProcessPeerCerts, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server key exchange
wolfSSL Entering DoServerKeyExchange
wolfSSL Entering EccVerify
wolfSSL Leaving EccVerify, return 0
wolfSSL Leaving DoServerKeyExchange, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate request
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello done
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
connect state: HELLO_AGAIN
connect state: HELLO_AGAIN_REPLY
connect state: FIRST_REPLY_DONE
growing output buffer
Shrinking output buffer
sent: certificate
connect state: FIRST_REPLY_FIRST
wolfSSL Entering SendClientKeyExchange
wolfSSL Entering EccMakeKey
wolfSSL Leaving EccMakeKey, return 0
wolfSSL Entering EccSharedSecret
wolfSSL Leaving EccSharedSecret, return 0
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendClientKeyExchange, return 0
sent: client key exchange
connect state: FIRST_REPLY_SECOND
wolfSSL Entering SendCertificateVerify
sent: certificate verify
connect state: FIRST_REPLY_THIRD
growing output buffer
Shrinking output buffer
sent: change cipher spec
connect state: FIRST_REPLY_FOURTH
growing output buffer
wolfSSL Entering BuildMessage
wolfSSL Leaving BuildMessage, return 0
Shrinking output buffer
sent: finished
connect state: FINISHED_DONE
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 42
wolfSSL error occurred, error = -313
ERROR: iot_tls_connect L#326 wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -313
failure creating SSL connection to server [-313]
wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
Shrinking input buffer
wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup
wolfSSL Entering wolfCrypt_Cleanup
wolfSSL Entering SSL_shutdown()
wolfSSL Entering wolfSSL_Cleanup
ERROR: main L#197 Error(-4) connecting to a3i4lmgkxatoyr.iot.us-west-2.amazonaws.com:8883
這是運行演示時的wireshark捕獲:
324 43.301028126 147.34.2.16 → 134.86.9.42 DNS 546 Standard query response 0x6223 A a3i4lmgkxatoyr.iot.us-west-2.amazonaws.com CNAME iotmoonraker.us-west-2.prod.iot.us-west-2.amazonaws.com CNAME dualstack.iotmoonraker-u-elb-1w8qnw1336zq-1186348092.us-west-2.elb.amazonaws.com A 52.10.19.111 A 52.25.57.203 A 35.165.44.84 A 35.160.71.83 A 34.210.178.78 A 52.41.23.91 NS ns-560.awsdns-06.net NS ns-1475.awsdns-56.org NS ns-1
769.awsdns-29.co.uk NS ns-332.awsdns-41.com A 205.251.198.233 AAAA 2600:9000:5306:e900::1 A 205.251.193.76 AAAA 2600:9000:5301:4c00::1
325 43.301247236 134.86.9.42 → 52.10.19.111 TCP 74 40282 → 8883 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1333683979 TSecr=0 WS=128
328 43.412499273 52.10.19.111 → 134.86.9.42 TCP 66 8883 → 40282 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1360 SACK_PERM=1 WS=256
329 43.412535130 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [ACK] Seq=1 Ack=1 Win=29312 Len=0
336 43.413988506 134.86.9.42 → 52.10.19.111 SSL 196 Client Hello
339 43.414370228 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=1 Ack=143 Win=5888 Len=0
341 43.533620599 52.10.19.111 → 134.86.9.42 TCP 1414 [TCP segment of a reassembled PDU]
342 43.533659332 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [ACK] Seq=143 Ack=1361 Win=32128 Len=0
343 43.533830301 52.10.19.111 → 134.86.9.42 TLSv1.2 1283 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
344 43.533876234 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [ACK] Seq=143 Ack=2590 Win=35072 Len=0
349 43.545353568 134.86.9.42 → 52.10.19.111 TLSv1.2 66 Certificate
350 43.545651974 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2590 Ack=155 Win=5888 Len=0
351 43.552906179 134.86.9.42 → 52.10.19.111 TLSv1.2 129 Client Key Exchange
352 43.553226294 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2590 Ack=230 Win=5888 Len=0
353 43.553237461 134.86.9.42 → 52.10.19.111 TLSv1.2 60 Change Cipher Spec
354 43.553645295 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2590 Ack=236 Win=5888 Len=0
355 43.553661141 134.86.9.42 → 52.10.19.111 TLSv1.2 99 Hello Request, Hello Request
356 43.554058924 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2590 Ack=281 Win=5888 Len=0
367 43.659283864 52.10.19.111 → 134.86.9.42 TLSv1.2 61 Alert (Level: Fatal, Description: Bad Certificate)
368 43.659391034 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [FIN, ACK] Seq=281 Ack=2597 Win=35072 Len=0
369 43.659472966 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [FIN, ACK] Seq=2597 Ack=281 Win=5888 Len=0
371 43.659485750 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [ACK] Seq=282 Ack=2598 Win=35072 Len=0
372 43.659701144 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2598 Ack=282 Win=5888 Len=0
使用 mbedTLS 時使用完全相同的證書/密鑰。
我顯然在這里遺漏了一些東西,對某些人來說也很明顯,但我沒有看到它。
(也發布在 wolfSSL 論壇 [ https://www.wolfssl.com/forums/topic1122-failure-with-alert-error-42-when-connecting-to-aws-iot.html] ,但我想我會吸引觀眾)
2 個解決方案
解決方案1
1 已采納 2017-10-23 14:51:00
好的,事實證明我必須在創建 SSL 會話之前加載證書/密鑰,而不是之后:
ssl_ctx = wolfSSL_CTX_new(method);
result = wolfSSL_CTX_load_verify_locations(ssl_ctx, root_ca_filepath, NULL);
result = wolfSSL_CTX_use_PrivateKey_file(ssl_ctx, dev_prvkey_filepath,
cert_container_format);
result = wolfSSL_CTX_use_certificate_file(ssl_ctx, dev_cert_filepath, cert_container_format);
session = wolfSSL_new(ssl_ctx);
代替:
ssl_ctx = wolfSSL_CTX_new(method);
session = wolfSSL_new(ssl_ctx);
result = wolfSSL_CTX_load_verify_locations(ssl_ctx, root_ca_filepath, NULL);
result = wolfSSL_CTX_use_PrivateKey_file(ssl_ctx, dev_prvkey_filepath,
cert_container_format);
result = wolfSSL_CTX_use_certificate_file(ssl_ctx, dev_cert_filepath, cert_container_format);
解決方案2
0 2017-10-21 21:00:58
這很可能是協商使用的密碼失敗。
這個線程可以幫助你解決這個問題。 相關部分:
“-313”表示服務器已向客戶端發回致命警報。 如果在發送 ClientHello 消息之后發生這種情況,這很可能意味着客戶端沒有廣播對服務器所需的密碼套件或擴展的支持。
- 如果使用 ECC,服務器需要啟用支持的曲線擴展。 使用“--enable-supportedcurves”編譯 wolfSSL 來解決。
- wolfSSL 為安全起見默認禁用靜態密鑰密碼套件。 如果您的服務器需要,請參閱自述文件頂部的注釋,了解有關重新啟用靜態密鑰密碼套件的說明。
使用 nmap 確定 Amazon 支持哪些密碼套件,然后在 WolfSSL 中啟用最佳密碼套件。
nmap --script ssl-enum-ciphers -p 443 <host>
C程序卷曲:(35)錯誤:14077410:SSL例程:SSL23_GET_SERVER_HELLO:sslv3警報握手失敗
[英]C Program curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
嘗試在多個文件中使用Azure-iot-sdk-c序列化器模型時出現鏈接器錯誤
[英]Linker error when trying to use Azure-iot-sdk-c serializer model in multiple files
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.