AWS IoT and HTTPS are mutually failed

User avatar
samsonch
Posts: 15
Joined: Mon Sep 03, 2018 2:24 pm

AWS IoT and HTTPS are mutually failed

Postby samsonch » Thu Dec 27, 2018 6:34 am

I am running AWS IoT and HTTPS simultaneously and they do not work at the same time. AWS IoT worked great if I didn't start another HTTPS session, so did HTTPS. If I got both running together, I got the following errors:

E (320154) esp-tls: mbedtls_ssl_handshake returned -0x2700
E (320164) esp-tls: Failed to open new connection
E (320164) TRANS_SSL: Failed to open a new connection
E (320164) HTTP_CLIENT: Connection failed, sock < 0
E (320174) HTTPS_CLIENT: Error perform http request ESP_ERR_HTTP_CONNECT
W (332144) mbedtls: ssl_tls.c:5713 x509_verify_cert() returned -9984 (-0x2700)

Am I missing anything or that is the limitation of ESP32?

Samson


User avatar
samsonch
Posts: 15
Joined: Mon Sep 03, 2018 2:24 pm

Re: AWS IoT and HTTPS are mutually failed

Postby samsonch » Thu Dec 27, 2018 4:13 pm

Hello chegewara,

Thank you for pointing some directions. I went some of the discussions and tried somethings. I still could not get it working. If you don't mind, could you give me some more specific hints? Thank you so much.

Samson

chegewara
Posts: 2375
Joined: Wed Jun 14, 2017 9:00 pm

Re: AWS IoT and HTTPS are mutually failed

Postby chegewara » Fri Dec 28, 2018 8:04 pm

error you get from mbedtls is self explanatory.
You have incorrect certificate or your certificate is not activated in aws IoT.

User avatar
samsonch
Posts: 15
Joined: Mon Sep 03, 2018 2:24 pm

transport_tls and mbedtls do not support concurrent SSL sessions if there is more than one domain destinations

Postby samsonch » Wed Jan 02, 2019 11:03 am

AWS IOT SDK has nothing to do with this problem. The current ESP32 transport_tls and mbedtls simply do not support concurrent sessions when there is more than one SSL destination. If you create two HTTPS sessions going to two different HTTPS destinations (different destination domains and certificates), only the first one can be established. The second one will fail.

Samson

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: transport_tls and mbedtls do not support concurrent SSL sessions if there is more than one domain destinations

Postby ESP_Angus » Thu Jan 03, 2019 2:21 am

samsonch wrote:
Wed Jan 02, 2019 11:03 am
AWS IOT SDK has nothing to do with this problem. The current ESP32 transport_tls and mbedtls simply do not support concurrent sessions when there is more than one SSL destination. If you create two HTTPS sessions going to two different HTTPS destinations (different destination domains and certificates), only the first one can be established. The second one will fail.
This should not be true. Is it possible you're accidentally passing the wrong certificate to one of the sessions? (If they're embedded in the binary, they'll each need to have different names.)

If that's not it, is it possible for you to please post a full project (or as much of it as possible) somewhere?

chegewara
Posts: 2375
Joined: Wed Jun 14, 2017 9:00 pm

Re: AWS IoT and HTTPS are mutually failed

Postby chegewara » Thu Jan 03, 2019 5:48 am

I have opposite situation. I have AWS IoT app and i am sending https url to my app to start OTA update and it works without CA cert. To OTA update i am using basically native OTA example:

Code: Select all

    esp_http_client_config_t config = {
        .url = (char*)pvParameter,
        // .cert_pem = (char *)server_cert_pem_start,
    };
    esp_http_client_handle_t client = esp_http_client_init(&config);
    if (client == NULL) {
        ESP_LOGE(TAG, "Failed to initialise HTTP connection");
        task_fatal_error();
    }
    err = esp_http_client_open(client, 0);
    if (err != ESP_OK) {
        ESP_LOGE(TAG, "Failed to open HTTP connection: %s", esp_err_to_name(err));
        esp_http_client_cleanup(client);
        task_fatal_error();
    }
I am using server with letsencrypt certificate and it works without issue.

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: AWS IoT and HTTPS are mutually failed

Postby ESP_Angus » Thu Jan 03, 2019 6:15 am

chegewara wrote:
Thu Jan 03, 2019 5:48 am
I have opposite situation. I have AWS IoT app and i am sending https url to my app to start OTA update and it works without CA cert.
If the cert_pem field of esp_http_client_config_t is NULL then certificate validation is disabled.

Will update the docs to make this clear.

chegewara
Posts: 2375
Joined: Wed Jun 14, 2017 9:00 pm

Re: AWS IoT and HTTPS are mutually failed

Postby chegewara » Thu Jan 03, 2019 6:19 am

ESP_Angus wrote:
Thu Jan 03, 2019 6:15 am
If the cert_pem field of esp_http_client_config_t is NULL then certificate validation is disabled.

Will update the docs to make this clear.
Thats change in API i missed, thanks for clarification. I will try to add certificate to see if i have the same issue that OP.

EDIT i can confirm it works for me with native ota over https + aws IoT

User avatar
samsonch
Posts: 15
Joined: Mon Sep 03, 2018 2:24 pm

Re: transport_tls and mbedtls do not support concurrent SSL sessions if there is more than one domain destinations

Postby samsonch » Thu Jan 03, 2019 4:16 pm

ESP_Angus wrote:
Thu Jan 03, 2019 2:21 am
samsonch wrote:
Wed Jan 02, 2019 11:03 am
AWS IOT SDK has nothing to do with this problem. The current ESP32 transport_tls and mbedtls simply do not support concurrent sessions when there is more than one SSL destination. If you create two HTTPS sessions going to two different HTTPS destinations (different destination domains and certificates), only the first one can be established. The second one will fail.
This should not be true. Is it possible you're accidentally passing the wrong certificate to one of the sessions? (If they're embedded in the binary, they'll each need to have different names.)

If that's not it, is it possible for you to please post a full project (or as much of it as possible) somewhere?
I am pretty sure I was passing the correct certificate to the right session. If I put a semaphore to make the two sessions running exclusively, each session worked great. I will see if I could make a small project to simulate this.

Who is online

Users browsing this forum: No registered users and 304 guests