AWS IoT and HTTPS are mutually failed

[samsonch]

I am running AWS IoT and HTTPS simultaneously and they do not work at the same time. AWS IoT worked great if I didn't start another HTTPS session, so did HTTPS. If I got both running together, I got the following errors:

E (320154) esp-tls: mbedtls_ssl_handshake returned -0x2700
E (320164) esp-tls: Failed to open new connection
E (320164) TRANS_SSL: Failed to open a new connection
E (320164) HTTP_CLIENT: Connection failed, sock < 0
E (320174) HTTPS_CLIENT: Error perform http request ESP_ERR_HTTP_CONNECT
W (332144) mbedtls: ssl_tls.c:5713 x509_verify_cert() returned -9984 (-0x2700)

Am I missing anything or that is the limitation of ESP32?

Samson

[chegewara]

https://www.google.com/search?q=mbedtls ... e&ie=UTF-8

[samsonch]

Hello chegewara,

Thank you for pointing some directions. I went some of the discussions and tried somethings. I still could not get it working. If you don't mind, could you give me some more specific hints? Thank you so much.

Samson

[chegewara]

error you get from mbedtls is self explanatory.
You have incorrect certificate or your certificate is not activated in aws IoT.

[samsonch]

AWS IOT SDK has nothing to do with this problem. The current ESP32 transport_tls and mbedtls simply do not support concurrent sessions when there is more than one SSL destination. If you create two HTTPS sessions going to two different HTTPS destinations (different destination domains and certificates), only the first one can be established. The second one will fail.

Samson

[ESP_Angus]

AWS IOT SDK has nothing to do with this problem. The current ESP32 transport_tls and mbedtls simply do not support concurrent sessions when there is more than one SSL destination. If you create two HTTPS sessions going to two different HTTPS destinations (different destination domains and certificates), only the first one can be established. The second one will fail.

This should not be true. Is it possible you're accidentally passing the wrong certificate to one of the sessions? (If they're embedded in the binary, they'll each need to have different names.)

If that's not it, is it possible for you to please post a full project (or as much of it as possible) somewhere?

[chegewara]

I have opposite situation. I have AWS IoT app and i am sending https url to my app to start OTA update and it works without CA cert. To OTA update i am using basically native OTA example:

Code: Select all

    esp_http_client_config_t config = {
        .url = (char*)pvParameter,
        // .cert_pem = (char *)server_cert_pem_start,
    };
    esp_http_client_handle_t client = esp_http_client_init(&config);
    if (client == NULL) {
        ESP_LOGE(TAG, "Failed to initialise HTTP connection");
        task_fatal_error();
    }
    err = esp_http_client_open(client, 0);
    if (err != ESP_OK) {
        ESP_LOGE(TAG, "Failed to open HTTP connection: %s", esp_err_to_name(err));
        esp_http_client_cleanup(client);
        task_fatal_error();
    }

I am using server with letsencrypt certificate and it works without issue.

[ESP_Angus]

I have opposite situation. I have AWS IoT app and i am sending https url to my app to start OTA update and it works without CA cert.

If the cert_pem field of esp_http_client_config_t is NULL then certificate validation is disabled.

Will update the docs to make this clear.

[chegewara]

If the cert_pem field of esp_http_client_config_t is NULL then certificate validation is disabled.

Will update the docs to make this clear.

Thats change in API i missed, thanks for clarification. I will try to add certificate to see if i have the same issue that OP.

EDIT i can confirm it works for me with native ota over https + aws IoT

[samsonch]

AWS IOT SDK has nothing to do with this problem. The current ESP32 transport_tls and mbedtls simply do not support concurrent sessions when there is more than one SSL destination. If you create two HTTPS sessions going to two different HTTPS destinations (different destination domains and certificates), only the first one can be established. The second one will fail.

This should not be true. Is it possible you're accidentally passing the wrong certificate to one of the sessions? (If they're embedded in the binary, they'll each need to have different names.)

If that's not it, is it possible for you to please post a full project (or as much of it as possible) somewhere?

I am pretty sure I was passing the correct certificate to the right session. If I put a semaphore to make the two sessions running exclusively, each session worked great. I will see if I could make a small project to simulate this.