AT Commands Firmware with AWS TLS/SSL Client connection
Posted: Sun Mar 04, 2018 4:48 am
Hello,
I am trying to get the AT Commands firmware to connect to AWS IoT, but I am having an issue where the SSL client connection fails approximately 10 seconds into the TLS handshake. I am fairly confident that I have everything setup right (this took a looong time!). Here is what I have done:
1. Pulled latest (846e8d8) AT command repo (v1.0.0.0 release doesn't support client SSL connections as far as I can tell).
2. Used "make menuconfig" to turn on MBED TLS DEBUGGING and VERBOSE debug ouput. I also turned off the watchdog on idle task, which trips if it is not turned off.
3. used "make" cmd to build esp32 at project.
4. Provisioned a device on AWS IoT and downloaded client cert, CA root cert and private key.
5. Used ESP tool v3.6.3 to load all binaries into ESP32 flash (cert @ 0x2a000, priv key @ 0x2c000, and root ca cert @ 0x2e000)
6. tested cert + root CA + priv key combo using ssl client on windows, which works, returning status 0 (OK):
openssl s_client -connect xxxxxxxxxx.iot.us-west-2.amazonaws.com:8443 -CAfile CA.pem -cert cert.pem -key privateKey.pem
7. The last few lines of the debug output show:
I (29277) openssl: ssl_cli.c:3363 client state: 10
I (29282) openssl: ssl_tls.c:2416 => flush output
I (29288) openssl: ssl_tls.c:2428 <= flush output
I (29293) openssl: ssl_tls.c:4700 => write change cipher spec
I (29300) openssl: ssl_tls.c:2701 => write record
I (29306) openssl: ssl_tls.c:2838 output record: msgtype = 20, version = [3:3], msglen = 1
I (29315) openssl: ssl_tls.c:2841 dumping 'output record sent to network' (6 bytes)
I (29323) openssl: ssl_tls.c:2841 0000: 14 03 03 00 01 01 ......
I (29333) openssl: ssl_tls.c:2416 => flush output
I (29338) openssl: ssl_tls.c:2435 message length: 6, out_left: 6
I (29346) openssl: ssl_tls.c:2441 ssl->f_send() returned -80 (-0x0050)
I (29352) openssl: ssl_tls.c:2846 mbedtls_ssl_flush_output() returned -80 (-0x0050)
I (29361) openssl: ssl_tls.c:4710 mbedtls_ssl_write_record() returned -80 (-0x0050)
I (29369) openssl: mbedtls_ssl_handshake() return -0x50
ssl connect fail
I am not sure why this is failing, as the connection seems to be going ok?
I found a thread where someone describes their SSL handshakes taking a long time, which mine do as well:
https://github.com/espressif/esp-idf/issues/850
Mine currently stops about 12 to 13 seconds after the start of the SSL connection. My internet connection is very slow, but that shouldn't really prevent an SSL connection to be possible, as my PC can make one using the openssl utility very quickly.
I have tried everything I can think of at this point. Please let me know if you have any suggestions.
Thank You!
I am trying to get the AT Commands firmware to connect to AWS IoT, but I am having an issue where the SSL client connection fails approximately 10 seconds into the TLS handshake. I am fairly confident that I have everything setup right (this took a looong time!). Here is what I have done:
1. Pulled latest (846e8d8) AT command repo (v1.0.0.0 release doesn't support client SSL connections as far as I can tell).
2. Used "make menuconfig" to turn on MBED TLS DEBUGGING and VERBOSE debug ouput. I also turned off the watchdog on idle task, which trips if it is not turned off.
3. used "make" cmd to build esp32 at project.
4. Provisioned a device on AWS IoT and downloaded client cert, CA root cert and private key.
5. Used ESP tool v3.6.3 to load all binaries into ESP32 flash (cert @ 0x2a000, priv key @ 0x2c000, and root ca cert @ 0x2e000)
6. tested cert + root CA + priv key combo using ssl client on windows, which works, returning status 0 (OK):
openssl s_client -connect xxxxxxxxxx.iot.us-west-2.amazonaws.com:8443 -CAfile CA.pem -cert cert.pem -key privateKey.pem
7. The last few lines of the debug output show:
I (29277) openssl: ssl_cli.c:3363 client state: 10
I (29282) openssl: ssl_tls.c:2416 => flush output
I (29288) openssl: ssl_tls.c:2428 <= flush output
I (29293) openssl: ssl_tls.c:4700 => write change cipher spec
I (29300) openssl: ssl_tls.c:2701 => write record
I (29306) openssl: ssl_tls.c:2838 output record: msgtype = 20, version = [3:3], msglen = 1
I (29315) openssl: ssl_tls.c:2841 dumping 'output record sent to network' (6 bytes)
I (29323) openssl: ssl_tls.c:2841 0000: 14 03 03 00 01 01 ......
I (29333) openssl: ssl_tls.c:2416 => flush output
I (29338) openssl: ssl_tls.c:2435 message length: 6, out_left: 6
I (29346) openssl: ssl_tls.c:2441 ssl->f_send() returned -80 (-0x0050)
I (29352) openssl: ssl_tls.c:2846 mbedtls_ssl_flush_output() returned -80 (-0x0050)
I (29361) openssl: ssl_tls.c:4710 mbedtls_ssl_write_record() returned -80 (-0x0050)
I (29369) openssl: mbedtls_ssl_handshake() return -0x50
ssl connect fail
I am not sure why this is failing, as the connection seems to be going ok?
I found a thread where someone describes their SSL handshakes taking a long time, which mine do as well:
https://github.com/espressif/esp-idf/issues/850
Mine currently stops about 12 to 13 seconds after the start of the SSL connection. My internet connection is very slow, but that shouldn't really prevent an SSL connection to be possible, as my PC can make one using the openssl utility very quickly.
I have tried everything I can think of at this point. Please let me know if you have any suggestions.
Thank You!