AWS thing shadow example failing to verify certifiate

[wacbrayk]

I'm working on ESP-IDF version V3.2.2 and am trying to run the AWS thing shadow example. However, the code is failing in the call to aws_iot_shadow_connect() when trying to verify the CA certificate. The CA certificate I'm using is the one provided in the IDF and is being embedded into the code. So far I've spent a couple days trying to dig into this, but haven't made any progress. Below is the console output with log level set to debug and mbedtls debugging enabled. Any help figuring out what would be causing this error is appreciated.

Code: Select all

D (4262) mbedtls: ssl_cli.c:1732 server hello, compress alg.: 0

D (4272) mbedtls: ssl_cli.c:1764 server hello, chosen ciphersuite: TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

I (4282) mbedtls: ssl_cli.c:1781 server hello, total extension length: 9

D (4282) mbedtls: ssl_cli.c:1801 found renegotiation extension

D (4292) mbedtls: ssl_cli.c:1853 found extended_master_secret extension

I (4302) mbedtls: ssl_cli.c:1970 <= parse server hello

I (4302) mbedtls: ssl_cli.c:3405 client state: 3

I (4312) mbedtls: ssl_tls.c:2751 => flush output

I (4312) mbedtls: ssl_tls.c:2763 <= flush output

I (4322) mbedtls: ssl_tls.c:5440 => parse certificate

I (4322) mbedtls: ssl_tls.c:4305 => read record

D (4332) phy_init: wifi mac time delta: 92113
D (4382) mbedtls: ssl_tls.c:3620 handshake message: msglen = 2312, type = 11, hslen = 2055

I (4382) mbedtls: ssl_tls.c:4379 <= read record

D (4382) mbedtls: ssl_tls.c:5650 peer certificate #1:

D (4392) mbedtls: ssl_tls.c:5650 cert. version     : 3

D (4392) mbedtls: ssl_tls.c:5650 serial number     : 31:73:C9:C6:F8:61:7C:A0:C6:92:06:70:E6:BF:D9:6D

D (4402) mbedtls: ssl_tls.c:5650 issuer name       : C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 ECC 256 bit SSL CA - G2

D (4412) mbedtls: ssl_tls.c:5650 subject name      : C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=*.iot.us-east-1.amazonaws.com

D (4432) mbedtls: ssl_tls.c:5650 issued  on        : 2018-10-18 00:00:00

D (4432) mbedtls: ssl_tls.c:5650 expires on        : 2019-10-19 23:59:59

D (4442) phy_init: wifi mac time delta: 95681
D (4442) mbedtls: ssl_tls.c:5650 signed using      : ECDSA with SHA256

D (4452) mbedtls: ssl_tls.c:5650 EC key size       : 256 bits

D (4462) mbedtls: ssl_tls.c:5650 basic constraints : CA=false

D (4462) mbedtls: ssl_tls.c:5650 subject alt name  : iot.us-east-1.amazonaws.com, *.iot.us-east-1.amazonaws.com

D (4472) mbedtls: ssl_tls.c:5650 key usage         : Digital Signature

D (4482) mbedtls: ssl_tls.c:5650 ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication

D (4492) mbedtls: ssl_tls.c:5650 value of 'crt->eckey.Q(X)' (256 bits) is:

D (4502) mbedtls: ssl_tls.c:5650  c6 63 9c 1d ef da f2 5a c8 d4 45 48 60 17 83 ed

D (4512) mbedtls: ssl_tls.c:5650  c1 ee 8b 95 85 71 d7 f8 b5 27 5c a3 c8 9d fb ea

D (4512) mbedtls: ssl_tls.c:5650 value of 'crt->eckey.Q(Y)' (254 bits) is:

D (4522) mbedtls: ssl_tls.c:5650  31 5d 15 6f 29 45 fd 93 53 ae 57 05 3a 2f 9f 2c

D (4532) mbedtls: ssl_tls.c:5650  e9 bf 00 5a 07 bd af 6c bf c5 72 69 57 46 66 1a

D (4542) mbedtls: ssl_tls.c:5650 peer certificate #2:

D (4542) mbedtls: ssl_tls.c:5650 cert. version     : 3

D (4552) mbedtls: ssl_tls.c:5650 serial number     : 3F:92:87:BE:9D:1D:A4:A3:7A:9D:F6:28:2E:77:5A:C4

D (4562) mbedtls: ssl_tls.c:5650 issuer name       : C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5

D (4582) mbedtls: ssl_tls.c:5650 subject name      : C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 ECC 256 bit SSL CA - G2

D (4592) mbedtls: ssl_tls.c:5650 issued  on        : 2015-05-12 00:00:00

D (4602) mbedtls: ssl_tls.c:5650 expires on        : 2025-05-11 23:59:59

D (4602) mbedtls: ssl_tls.c:5650 signed using      : RSA with SHA-256

D (4612) mbedtls: ssl_tls.c:5650 EC key size       : 256 bits

D (4622) mbedtls: ssl_tls.c:5650 basic constraints : CA=true, max_pathlen=0

D (4622) mbedtls: ssl_tls.c:5650 subject alt name  :

D (4632) mbedtls: ssl_tls.c:5650 key usage         : Key Cert Sign, CRL Sign

D (4642) mbedtls: ssl_tls.c:5650 value of 'crt->eckey.Q(X)' (252 bits) is:

D (4642) phy_init: wifi mac time delta: 97052
D (4642) mbedtls: ssl_tls.c:5650  0f 1b a4 91 d7 e7 ac e7 d1 4e 4e b7 64 5b e1 8f

D (4662) mbedtls: ssl_tls.c:5650  7f 6e 04 d3 ab 38 db 44 b7 40 5c 6d bd 96 96 37

D (4662) mbedtls: ssl_tls.c:5650 value of 'crt->eckey.Q(Y)' (256 bits) is:

D (4672) mbedtls: ssl_tls.c:5650  df 79 89 86 67 f7 b1 1f 08 9e fd 63 3b 46 8c 9f

D (4682) mbedtls: ssl_tls.c:5650  bd 53 e8 15 dc 97 3e 2b 81 46 ad 86 7f 0e 01 39

D (4852) phy_init: wifi mac time delta: 96937
D (4952) phy_init: wifi mac time delta: 97046
D (5052) phy_init: wifi mac time delta: 97045
D (5152) phy_init: wifi mac time delta: 97053
D (5182) phy_init: wifi mac time delta: 17909
D (5252) phy_init: wifi mac time delta: 22246
D (5292) aws_iot: Verify requested for (Depth 1):
D (5302) aws_iot: cert. version     : 3
serial number     : 3F:92:87:BE:9D:1D:A4:A3:7A:9D:F6:28:2E:77:5A:C4
issuer name       : C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Cert
D (5312) aws_iot: Verify result:cert. version     : 3
serial number     : 3F:92:87:BE:9D:1D:A4:A3:7A:9D:F6:28:2E:77:5A:C4
issuer name       : C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Cert
D (5342) aws_iot: Verify requested for (Depth 0):
D (5342) aws_iot: cert. version     : 3
serial number     : 31:73:C9:C6:F8:61:7C:A0:C6:92:06:70:E6:BF:D9:6D
issuer name       : C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 ECC 256 bit SSL CA - G2
subject name      : C=US, ST=Washington, L=
D (5372) aws_iot:   This certificate has no flags
W (5372) mbedtls: ssl_tls.c:5713 x509_verify_cert() returned -9984 (-0x2700)

I (5382) mbedtls: ssl_tls.c:5244 => send alert message

D (5392) mbedtls: ssl_tls.c:5245 send alert level=2 message=48

I (5392) mbedtls: ssl_tls.c:3337 => write record

D (5402) mbedtls: ssl_tls.c:3417 output record: msgtype = 21, version = [3:3], msglen = 2

I (5412) mbedtls: ssl_tls.c:2751 => flush output

I (5412) mbedtls: ssl_tls.c:2770 message length: 7, out_left: 7

D (5422) phy_init: wifi mac time delta: 57794
I (5422) mbedtls: ssl_tls.c:2775 ssl->f_send() returned 7 (-0xfffffff9)

I (5432) mbedtls: ssl_tls.c:2803 <= flush output

I (5442) mbedtls: ssl_tls.c:3470 <= write record

I (5442) mbedtls: ssl_tls.c:5257 <= send alert message

D (5452) mbedtls: ssl_tls.c:5801 ! Certificate verification flags 8

I (5452) mbedtls: ssl_tls.c:5810 <= parse certificate

I (5462) mbedtls: ssl_tls.c:8031 <= handshake

E (5462) aws_iot: failed! mbedtls_ssl_handshake returned -0x2700
E (5472) aws_iot:     Unable to verify the server's certificate.
I (5482) mbedtls: ssl_tls.c:8662 => write close notify

I (5482) mbedtls: ssl_tls.c:8678 <= write close notify

I (5492) mbedtls: ssl_tls.c:8866 => free

I (5502) mbedtls: ssl_tls.c:8931 <= free

E (5502) shadow: aws_iot_shadow_connect returned error -4, aborting...

[chegewara]

I dont know why you are getting info about Verisign certificate issuer, AWS IoT is no longer using Verisign certificate.

C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5

Make sure you are using this CA certificate:
https://github.com/espressif/esp-idf/bl ... oot-ca.pem

aws_ca.JPG (19.38 KiB) Viewed 3989 times

[wacbrayk]

That is the certificate that I'm using. I am getting these errors with no modifications to the examples.

[wacbrayk]

I was able to figure out the problem. The certificate that is included in the example is an ATS (Amazon Trust Services) certificate, and the endpoint I was using was not the ATS endpoint. Once I changed to the correct endpoint, it verified everything correctly.