Thing Connects fine to AWS IoT Core but does not when using AWS Device Advisor
I have a custom device running FreeRTOS and Mbed-TLS. The device connects fine to the production IoT core endpoint and I can pub/sub to my hearts content; however, when I try to connect to the endpoint provided by the device advisor with a MQTT Connect testcase, it wont complete the TLS handshake. The log has two entries in it, the client hello and then a close-notify alert from the server. I tried using a little C# test application I wrote to connect to the same end point and that seems to work. I use the same method for both, the only difference is the device. I did decode the client hello my device is sending and I do not see anything obviously wrong.
At the point of pulling my hair out, any tips?
+-------------------------------------------------+
| 0 1 2 3 4 5 6 7 8 9 a b c d e f |
+--------+-------------------------------------------------+----------------+
|00000000| 16 03 03 00 a4 01 00 00 a0 03 03 80 e3 df 37 83 |..............7.|
|00000010| 02 08 84 9d b0 6f e8 86 e9 e0 12 5e 77 f9 97 c6 |.....o.....^w...|
|00000020| af 62 cf 43 c6 40 63 c0 77 3a 82 00 00 04 c0 2b |.b.C.@c.w:.....+|
|00000030| 00 ff 01 00 00 73 00 00 00 47 00 45 00 00 42 74 |.....s...G.E..Bt|
|00000040| 34 31 31 62 39 36 32 35 37 74 33 6e 78 35 69 7a |411b96257t3nx5iz|
|00000050| 39 76 37 73 69 6a 73 2e 64 65 76 69 63 65 61 64 |9v7sijs.devicead|
|00000060| 76 69 73 6f 72 2e 69 6f 74 2e 75 73 2d 65 61 73 |visor.iot.us-eas|
|00000070| 74 2d 31 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f |t-1.amazonaws.co|
|00000080| 6d 00 0d 00 06 00 04 04 03 04 01 00 0a 00 0a 00 |m...............|
|00000090| 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 00 00 |................|
|000000a0| 10 00 06 00 04 03 90 03 9b |......... |
+--------+-------------------------------------------------+----------------+
TLS Record Sender SERVER ContentType ALERT Length 7 Timestamp 2022-12-19T18:08:58Z
+-------------------------------------------------+
| 0 1 2 3 4 5 6 7 8 9 a b c d e f |
+--------+-------------------------------------------------+----------------+
|00000000| 15 03 03 00 02 01 00 |....... |
+--------+-------------------------------------------------+----------------+
16 03 03 00 a4
Record Header
16 - type is 0x16 (handshake record)
03 03 - protocol version is 3.3 (also known as TLS 1.2)
00 a4 - 0xA4 (164) bytes of handshake message follows
01 00 00 a0
01 - handshake message type 0x01 (client hello)
00 00 a0 - 0xA1 (160) bytes of client hello follows
03 03
The protocol version of "3,3" (meaning TLS 1.2) is given.
80 e3 df 37 83 02 08 84 9d b0 6f e8 86 e9 e0 12 5e 77 f9 97 c6 af 62 cf 43 c6 40 63 c0 77 3a 82
The client provides 32 bytes of random data.
00
Session id
00 - length of zero (no session id is provided)
00 04
Cipher Suites - 4 bytes of cipher suits follow
c0 2b
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
00 ff
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
01 00
01 - 0x1 (1) bytes of compression methods follows
00 - assigned value for no compression
00 73
00 73 - the extensions will take 0x73 (115) bytes of data
00 00
Server Name Extension
00 47
71 Bytes Follow
00 45
69 Bytes of list entry
00
List entry type is 0x00 "DNS Hostname"
00 42
66 Bytes of host name follow
74 34 31 31 62 39 36 32 35 37 74 33 6e 78 35 69 7a 39 76 37 73 69 6a 73 2e 64 65 76 69 63 6561 64 76 69 73 6f 72 2e 69 6f 74 2e 75 73 2d 65 61 73 74 2d 31 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d
Hostname - "t411b96257t3nx5iz9v7sijs.deviceadvisor.iot.us-east-1.amazonaws.com"
00 0d
Signature Algorithms
00 06
6 Bytes follow
00 04
4 Bytes follow
04 03
ECDSA/SECP256r1/SHA256
04 01
RSA/PKCS1/SHA256
00 0a
Supported Groups
00 0a
10 bytes of "supported groups" extension data follows
00 08
8 Bytes of data are in the curves list
00 1d
x25519
00 17
secp256r1
00 18
secp384r1
00 19
secp521r1
00 0b
EC Point Formats
00 02
2 bytes of EC points format data follows
01
1 bytes of data are in the list
00
Assigned value for uncompressed format
- I have tried adding the ALPN and trying both ports 8883 and 443 - No Change
- I have tried a different test application which seems to work but there is nothing in the log the point as to what the difference between my device and the test device
- My device connects fine to the normal endpoint and functions as expected
- I would expect the device to connect to the Device Advisor endpoint.
- 最新
- 最多得票
- 最多評論
Does your FreeRTOS device use the SNI TLS extension? Using SNI is required for Device Advisor but not for the IoT Core endpoint.
Cheers,
Philipp
相關內容
- 已提問 10 個月前lg...
- 已提問 6 個月前lg...
- 已提問 4 個月前lg...
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 3 年前
I do have the SNI TLS extension enabled and when I compare the bytes that make up that extension to the one from my test application (captured via wireshark), they are identical.