By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Thing Connects fine to AWS IoT Core but does not when using AWS Device Advisor

0

I have a custom device running FreeRTOS and Mbed-TLS. The device connects fine to the production IoT core endpoint and I can pub/sub to my hearts content; however, when I try to connect to the endpoint provided by the device advisor with a MQTT Connect testcase, it wont complete the TLS handshake. The log has two entries in it, the client hello and then a close-notify alert from the server. I tried using a little C# test application I wrote to connect to the same end point and that seems to work. I use the same method for both, the only difference is the device. I did decode the client hello my device is sending and I do not see anything obviously wrong.

At the point of pulling my hair out, any tips?

         +-------------------------------------------------+
         |  0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f |
+--------+-------------------------------------------------+----------------+
|00000000| 16 03 03 00 a4 01 00 00 a0 03 03 80 e3 df 37 83 |..............7.|
|00000010| 02 08 84 9d b0 6f e8 86 e9 e0 12 5e 77 f9 97 c6 |.....o.....^w...|
|00000020| af 62 cf 43 c6 40 63 c0 77 3a 82 00 00 04 c0 2b |.b.C.@c.w:.....+|
|00000030| 00 ff 01 00 00 73 00 00 00 47 00 45 00 00 42 74 |.....s...G.E..Bt|
|00000040| 34 31 31 62 39 36 32 35 37 74 33 6e 78 35 69 7a |411b96257t3nx5iz|
|00000050| 39 76 37 73 69 6a 73 2e 64 65 76 69 63 65 61 64 |9v7sijs.devicead|
|00000060| 76 69 73 6f 72 2e 69 6f 74 2e 75 73 2d 65 61 73 |visor.iot.us-eas|
|00000070| 74 2d 31 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f |t-1.amazonaws.co|
|00000080| 6d 00 0d 00 06 00 04 04 03 04 01 00 0a 00 0a 00 |m...............|
|00000090| 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 00 00 |................|
|000000a0| 10 00 06 00 04 03 90 03 9b                      |.........       |
+--------+-------------------------------------------------+----------------+


TLS Record Sender SERVER ContentType ALERT Length 7 Timestamp 2022-12-19T18:08:58Z
         +-------------------------------------------------+
         |  0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f |
+--------+-------------------------------------------------+----------------+
|00000000| 15 03 03 00 02 01 00                            |.......         |
+--------+-------------------------------------------------+----------------+

16 03 03 00 a4 
Record Header
    16 - type is 0x16 (handshake record)
    03 03 - protocol version is 3.3 (also known as TLS 1.2)
    00 a4 - 0xA4 (164) bytes of handshake message follows 

01 00 00 a0 
    01 - handshake message type 0x01 (client hello)
    00 00 a0 - 0xA1 (160) bytes of client hello follows 

03 03 
    The protocol version of "3,3" (meaning TLS 1.2) is given. 

80 e3 df 37 83 02 08 84 9d b0 6f e8 86 e9 e0 12 5e 77 f9 97 c6 af 62 cf 43 c6 40 63 c0 77 3a 82 
    The client provides 32 bytes of random data.

00 
    Session id
    00 - length of zero (no session id is provided) 

00 04
    Cipher Suites - 4 bytes of cipher suits follow
    c0 2b 
        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    00 ff 
        TLS_EMPTY_RENEGOTIATION_INFO_SCSV

01 00 
    01 - 0x1 (1) bytes of compression methods follows
    00 - assigned value for no compression 

00 73 
    00 73 - the extensions will take 0x73 (115) bytes of data 

00 00 
    Server Name Extension
    00 47 
        71 Bytes Follow
    00 45
        69 Bytes of list entry
    00 
        List entry type is 0x00 "DNS Hostname"
    00 42 
        66 Bytes of host name follow
    74 34 31 31 62 39 36 32 35 37 74 33 6e 78 35 69 7a 39 76 37 73 69 6a 73 2e 64 65 76 69 63 6561 64 76 69 73 6f 72 2e 69 6f 74 2e 75 73 2d 65 61 73 74 2d 31 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 
        Hostname - "t411b96257t3nx5iz9v7sijs.deviceadvisor.iot.us-east-1.amazonaws.com"

00 0d
    Signature Algorithms
    00 06 
        6 Bytes follow
    00 04 
        4 Bytes follow
    04 03 
        ECDSA/SECP256r1/SHA256 
    04 01 
        RSA/PKCS1/SHA256 

00 0a 
    Supported Groups
    00 0a
        10 bytes of "supported groups" extension data follows 
    00 08 
        8 Bytes of data are in the curves list
    00 1d 
        x25519
    00 17 
        secp256r1
    00 18 
        secp384r1
    00 19 
        secp521r1

00 0b 
    EC Point Formats
    00 02 
        2 bytes of EC points format data follows
    01 
        1 bytes of data are in the list
    00 
        Assigned value for uncompressed format
  • I have tried adding the ALPN and trying both ports 8883 and 443 - No Change
  • I have tried a different test application which seems to work but there is nothing in the log the point as to what the difference between my device and the test device
  • My device connects fine to the normal endpoint and functions as expected
  • I would expect the device to connect to the Device Advisor endpoint.
Topics
Internet of Things (IoT)
Tags
Amazon FreeRTOSAWS IoT CoreInternet of Things (IoT)
Language
English
DeckerTechnologies-Aaron
asked a year ago303 views
1 Answer
0

Does your FreeRTOS device use the SNI TLS extension? Using SNI is required for Device Advisor but not for the IoT Core endpoint.

Cheers,
Philipp

AWS
EXPERT
Philipp S
answered a year ago
  • DeckerTechnologies-Aaron
    a year ago

    I do have the SNI TLS extension enabled and when I compare the bytes that make up that extension to the one from my test application (captured via wireshark), they are identical.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content