API tools faq
paste
shrinivas_15

mbedtls_ssl_handshake-issue

shrinivas_15
Jun 11th, 2020
92
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.32 KB | None | 0 0
raw download clone embed print report
  1. Hi,
  2. I recently started working on mbedtls for AWS IoT SDK based applications.
  3.  
  4. Issue: I am planning to run AWS IoT SDK sample applications on my memory constrained (6MB RAM) embedded hardware
  5. Usage: AWS IOT SDK(3.0.1 release version) and mbedtls (2.16.5)
  6. Note: This filesystem is Read-Only file system.
  7.  
  8. I have tried on Ubuntu 18.04 setup first to make things clear. It was not working with "AmazonRootCA1.pem" and working perfectly fine with cross-signed "G2-RootCA1.pem".
  9. Ref: https://docs.aws.amazon.com/iot/latest/developerguide/iot-embedded-c-sdk.html
  10.  
  11. So I have cross-compiled for my target board using ARM toolchain and copied the binary and certificates.
  12. I have downloaded device certificate, private key and RootCA from AWS IOT Core to my device. Nothing on
  13. my device except copying the above 3 files.
  14.  
  15. On my Embedded platform, whenever run my application, mbedtls is throwing the error "mbedtls_ssl_handshake returned -0x50"
  16. So I have enabled the debug in mbedtls library and ran below command to dig into the problem.
  17.  
  18. $ ./ssl_client2 server_name=a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com serv
  19. er_port=443 ca_file=/certs/G2-RootCA1.pem crt_file=/certs/4960bd2f6b-certificate
  20. .pem.crt key_file=/certs/4960bd2f6b-private.pem.key
  21.  
  22. Output:
  23. $ ./ssl_client2 server_name=a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com serv
  24. er_port=443 ca_file=/certs/G2-RootCA1.pem crt_file=/certs/4960bd2f6b-certificate
  25. .pem.crt key_file=/certs/4960bd2f6b-private.pem.key
  26.  
  27. . Seeding the random number generator... ok
  28. . Loading the CA root certificate ... ok (0 skipped)
  29. . Loading the client cert. and key... ok
  30. . Connecting to tcp/a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com/443... ok
  31. . Setting up the SSL/TLS structure...ssl_tls.c:0081: |3| set_timer to 0 ms
  32. ok
  33. . Performing the SSL/TLS handshake...ssl_tls.c:8084: |2| => handshake
  34. ssl_cli.c:3510: |2| client state: 0
  35. ssl_tls.c:2755: |2| => flush output
  36. ssl_tls.c:2767: |2| <= flush output
  37. ssl_cli.c:3510: |2| client state: 1
  38. ssl_tls.c:2755: |2| => flush output
  39. ssl_tls.c:2767: |2| <= flush output
  40. ssl_cli.c:0774: |2| => write client hello
  41. ssl_cli.c:0811: |3| client hello, max version: [3:3]
  42. ssl_cli.c:0703: |3| client hello, current time: 1540981791
  43. ssl_cli.c:0821: |3| dumping 'client hello, random bytes' (32 bytes)
  44. ssl_cli.c:0821: |3| 0000: 5b d9 84 1f 2f 33 35 54 ea 0b 5d e1 dc 42 0c 99 [.../35T..]..B..
  45. ssl_cli.c:0821: |3| 0010: d4 a1 25 72 6f 0f cf 8e 56 0d ab f5 10 e4 47 46 ..%ro...V.....GF
  46. ssl_cli.c:0874: |3| client hello, session id len.: 0
  47. ssl_cli.c:0875: |3| dumping 'client hello, session id' (0 bytes)
  48. ssl_cli.c:0921: |3| client hello, add ciphersuite: cca8
  49. ssl_cli.c:0921: |3| client hello, add ciphersuite: cca9
  50. ssl_cli.c:0921: |3| client hello, add ciphersuite: ccaa
  51. ssl_cli.c:0921: |3| client hello, add ciphersuite: c02c
  52. ssl_cli.c:0921: |3| client hello, add ciphersuite: c030
  53. ssl_cli.c:0921: |3| client hello, add ciphersuite: 009f
  54. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ad
  55. ssl_cli.c:0921: |3| client hello, add ciphersuite: c09f
  56. ssl_cli.c:0921: |3| client hello, add ciphersuite: c024
  57. ssl_cli.c:0921: |3| client hello, add ciphersuite: c028
  58. ssl_cli.c:0921: |3| client hello, add ciphersuite: 006b
  59. ssl_cli.c:0921: |3| client hello, add ciphersuite: c00a
  60. ssl_cli.c:0921: |3| client hello, add ciphersuite: c014
  61. ssl_cli.c:0921: |3| client hello, add ciphersuite: 0039
  62. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0af
  63. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a3
  64. ssl_cli.c:0921: |3| client hello, add ciphersuite: c087
  65. ssl_cli.c:0921: |3| client hello, add ciphersuite: c08b
  66. ssl_cli.c:0921: |3| client hello, add ciphersuite: c07d
  67. ssl_cli.c:0921: |3| client hello, add ciphersuite: c073
  68. ssl_cli.c:0921: |3| client hello, add ciphersuite: c077
  69. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00c4
  70. ssl_cli.c:0921: |3| client hello, add ciphersuite: 0088
  71. ssl_cli.c:0921: |3| client hello, add ciphersuite: c02b
  72. ssl_cli.c:0921: |3| client hello, add ciphersuite: c02f
  73. ssl_cli.c:0921: |3| client hello, add ciphersuite: 009e
  74. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ac
  75. ssl_cli.c:0921: |3| client hello, add ciphersuite: c09e
  76. ssl_cli.c:0921: |3| client hello, add ciphersuite: c023
  77. ssl_cli.c:0921: |3| client hello, add ciphersuite: c027
  78. ssl_cli.c:0921: |3| client hello, add ciphersuite: 0067
  79. ssl_cli.c:0921: |3| client hello, add ciphersuite: c009
  80. ssl_cli.c:0921: |3| client hello, add ciphersuite: c013
  81. ssl_cli.c:0921: |3| client hello, add ciphersuite: 0033
  82. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ae
  83. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a2
  84. ssl_cli.c:0921: |3| client hello, add ciphersuite: c086
  85. ssl_cli.c:0921: |3| client hello, add ciphersuite: c08a
  86. ssl_cli.c:0921: |3| client hello, add ciphersuite: c07c
  87. ssl_cli.c:0921: |3| client hello, add ciphersuite: c072
  88. ssl_cli.c:0921: |3| client hello, add ciphersuite: c076
  89. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00be
  90. ssl_cli.c:0921: |3| client hello, add ciphersuite: 0045
  91. ssl_cli.c:0921: |3| client hello, add ciphersuite: ccac
  92. ssl_cli.c:0921: |3| client hello, add ciphersuite: ccad
  93. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ab
  94. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a7
  95. ssl_cli.c:0921: |3| client hello, add ciphersuite: c038
  96. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b3
  97. ssl_cli.c:0921: |3| client hello, add ciphersuite: c036
  98. ssl_cli.c:0921: |3| client hello, add ciphersuite: 0091
  99. ssl_cli.c:0921: |3| client hello, add ciphersuite: c091
  100. ssl_cli.c:0921: |3| client hello, add ciphersuite: c09b
  101. ssl_cli.c:0921: |3| client hello, add ciphersuite: c097
  102. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0ab
  103. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00aa
  104. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a6
  105. ssl_cli.c:0921: |3| client hello, add ciphersuite: c037
  106. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b2
  107. ssl_cli.c:0921: |3| client hello, add ciphersuite: c035
  108. ssl_cli.c:0921: |3| client hello, add ciphersuite: 0090
  109. ssl_cli.c:0921: |3| client hello, add ciphersuite: c090
  110. ssl_cli.c:0921: |3| client hello, add ciphersuite: c096
  111. ssl_cli.c:0921: |3| client hello, add ciphersuite: c09a
  112. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0aa
  113. ssl_cli.c:0921: |3| client hello, add ciphersuite: 009d
  114. ssl_cli.c:0921: |3| client hello, add ciphersuite: c09d
  115. ssl_cli.c:0921: |3| client hello, add ciphersuite: 003d
  116. ssl_cli.c:0921: |3| client hello, add ciphersuite: 0035
  117. ssl_cli.c:0921: |3| client hello, add ciphersuite: c032
  118. ssl_cli.c:0921: |3| client hello, add ciphersuite: c02a
  119. ssl_cli.c:0921: |3| client hello, add ciphersuite: c00f
  120. ssl_cli.c:0921: |3| client hello, add ciphersuite: c02e
  121. ssl_cli.c:0921: |3| client hello, add ciphersuite: c026
  122. ssl_cli.c:0921: |3| client hello, add ciphersuite: c005
  123. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a1
  124. ssl_cli.c:0921: |3| client hello, add ciphersuite: c07b
  125. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00c0
  126. ssl_cli.c:0921: |3| client hello, add ciphersuite: 0084
  127. ssl_cli.c:0921: |3| client hello, add ciphersuite: c08d
  128. ssl_cli.c:0921: |3| client hello, add ciphersuite: c079
  129. ssl_cli.c:0921: |3| client hello, add ciphersuite: c089
  130. ssl_cli.c:0921: |3| client hello, add ciphersuite: c075
  131. ssl_cli.c:0921: |3| client hello, add ciphersuite: 009c
  132. ssl_cli.c:0921: |3| client hello, add ciphersuite: c09c
  133. ssl_cli.c:0921: |3| client hello, add ciphersuite: 003c
  134. ssl_cli.c:0921: |3| client hello, add ciphersuite: 002f
  135. ssl_cli.c:0921: |3| client hello, add ciphersuite: c031
  136. ssl_cli.c:0921: |3| client hello, add ciphersuite: c029
  137. ssl_cli.c:0921: |3| client hello, add ciphersuite: c00e
  138. ssl_cli.c:0921: |3| client hello, add ciphersuite: c02d
  139. ssl_cli.c:0921: |3| client hello, add ciphersuite: c025
  140. ssl_cli.c:0921: |3| client hello, add ciphersuite: c004
  141. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a0
  142. ssl_cli.c:0921: |3| client hello, add ciphersuite: c07a
  143. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ba
  144. ssl_cli.c:0921: |3| client hello, add ciphersuite: 0041
  145. ssl_cli.c:0921: |3| client hello, add ciphersuite: c08c
  146. ssl_cli.c:0921: |3| client hello, add ciphersuite: c078
  147. ssl_cli.c:0921: |3| client hello, add ciphersuite: c088
  148. ssl_cli.c:0921: |3| client hello, add ciphersuite: c074
  149. ssl_cli.c:0921: |3| client hello, add ciphersuite: ccae
  150. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ad
  151. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b7
  152. ssl_cli.c:0921: |3| client hello, add ciphersuite: 0095
  153. ssl_cli.c:0921: |3| client hello, add ciphersuite: c093
  154. ssl_cli.c:0921: |3| client hello, add ciphersuite: c099
  155. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ac
  156. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00b6
  157. ssl_cli.c:0921: |3| client hello, add ciphersuite: 0094
  158. ssl_cli.c:0921: |3| client hello, add ciphersuite: c092
  159. ssl_cli.c:0921: |3| client hello, add ciphersuite: c098
  160. ssl_cli.c:0921: |3| client hello, add ciphersuite: ccab
  161. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00a9
  162. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a5
  163. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00af
  164. ssl_cli.c:0921: |3| client hello, add ciphersuite: 008d
  165. ssl_cli.c:0921: |3| client hello, add ciphersuite: c08f
  166. ssl_cli.c:0921: |3| client hello, add ciphersuite: c095
  167. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a9
  168. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00a8
  169. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a4
  170. ssl_cli.c:0921: |3| client hello, add ciphersuite: 00ae
  171. ssl_cli.c:0921: |3| client hello, add ciphersuite: 008c
  172. ssl_cli.c:0921: |3| client hello, add ciphersuite: c08e
  173. ssl_cli.c:0921: |3| client hello, add ciphersuite: c094
  174. ssl_cli.c:0921: |3| client hello, add ciphersuite: c0a8
  175. ssl_cli.c:0934: |3| client hello, got 127 ciphersuites (excluding SCSVs)
  176. ssl_cli.c:0943: |3| adding EMPTY_RENEGOTIATION_INFO_SCSV
  177. ssl_cli.c:0992: |3| client hello, compress len.: 1
  178. ssl_cli.c:0993: |3| client hello, compress alg.: 0
  179. ssl_cli.c:0068: |3| client hello, adding server name extension: a2g7twmqo7hg82-ats.iot.ap-south-1.amazonaws.com
  180. ssl_cli.c:0186: |3| client hello, adding signature_algorithms extension
  181. ssl_cli.c:0271: |3| client hello, adding supported_elliptic_curves extension
  182. ssl_cli.c:0336: |3| client hello, adding supported_point_formats extension
  183. ssl_cli.c:0517: |3| client hello, adding encrypt_then_mac extension
  184. ssl_cli.c:0551: |3| client hello, adding extended_master_secret extension
  185. ssl_cli.c:0585: |3| client hello, adding session ticket extension
  186. ssl_cli.c:1070: |3| client hello, total extension length: 128
  187. ssl_tls.c:3184: |2| => write handshake message
  188. ssl_tls.c:3343: |2| => write record
  189. ssl_tls.c:3420: |3| output record: msgtype = 22, version = [3:1], msglen = 429
  190. ssl_tls.c:3425: |4| dumping 'output record sent to network' (434 bytes)
  191. ssl_tls.c:3425: |4| 0000: 16 03 01 01 ad 01 00 01 a9 03 03 5b d9 84 1f 2f ...........[.../
  192. ssl_tls.c:3425: |4| 0010: 33 35 54 ea 0b 5d e1 dc 42 0c 99 d4 a1 25 72 6f 35T..]..B....%ro
  193. ssl_tls.c:3425: |4| 0020: 0f cf 8e 56 0d ab f5 10 e4 47 46 00 01 00 cc a8 ...V.....GF.....
  194. ssl_tls.c:3425: |4| 0030: cc a9 cc aa c0 2c c0 30 00 9f c0 ad c0 9f c0 24 .....,.0.......$
  195. ssl_tls.c:3425: |4| 0040: c0 28 00 6b c0 0a c0 14 00 39 c0 af c0 a3 c0 87 .(.k.....9......
  196. ssl_tls.c:3425: |4| 0050: c0 8b c0 7d c0 73 c0 77 00 c4 00 88 c0 2b c0 2f ...}.s.w.....+./
  197. ssl_tls.c:3425: |4| 0060: 00 9e c0 ac c0 9e c0 23 c0 27 00 67 c0 09 c0 13 .......#.'.g....
  198. ssl_tls.c:3425: |4| 0070: 00 33 c0 ae c0 a2 c0 86 c0 8a c0 7c c0 72 c0 76 .3.........|.r.v
  199. ssl_tls.c:3425: |4| 0080: 00 be 00 45 cc ac cc ad 00 ab c0 a7 c0 38 00 b3 ...E.........8..
  200. ssl_tls.c:3425: |4| 0090: c0 36 00 91 c0 91 c0 9b c0 97 c0 ab 00 aa c0 a6 .6..............
  201. ssl_tls.c:3425: |4| 00a0: c0 37 00 b2 c0 35 00 90 c0 90 c0 96 c0 9a c0 aa .7...5..........
  202. ssl_tls.c:3425: |4| 00b0: 00 9d c0 9d 00 3d 00 35 c0 32 c0 2a c0 0f c0 2e .....=.5.2.*....
  203. ssl_tls.c:3425: |4| 00c0: c0 26 c0 05 c0 a1 c0 7b 00 c0 00 84 c0 8d c0 79 .&.....{.......y
  204. ssl_tls.c:3425: |4| 00d0: c0 89 c0 75 00 9c c0 9c 00 3c 00 2f c0 31 c0 29 ...u.....<./.1.)
  205. ssl_tls.c:3425: |4| 00e0: c0 0e c0 2d c0 25 c0 04 c0 a0 c0 7a 00 ba 00 41 ...-.%.....z...A
  206. ssl_tls.c:3425: |4| 00f0: c0 8c c0 78 c0 88 c0 74 cc ae 00 ad 00 b7 00 95 ...x...t........
  207. ssl_tls.c:3425: |4| 0100: c0 93 c0 99 00 ac 00 b6 00 94 c0 92 c0 98 cc ab ................
  208. ssl_tls.c:3425: |4| 0110: 00 a9 c0 a5 00 af 00 8d c0 8f c0 95 c0 a9 00 a8 ................
  209. ssl_tls.c:3425: |4| 0120: c0 a4 00 ae 00 8c c0 8e c0 94 c0 a8 00 ff 01 00 ................
  210. ssl_tls.c:3425: |4| 0130: 00 80 00 00 00 34 00 32 00 00 2f 61 32 67 37 74 .....4.2../a2g7t
  211. ssl_tls.c:3425: |4| 0140: 77 6d 71 6f 37 68 67 38 32 2d 61 74 73 2e 69 6f wmqo7hg82-ats.io
  212. ssl_tls.c:3425: |4| 0150: 74 2e 61 70 2d 73 6f 75 74 68 2d 31 2e 61 6d 61 t.ap-south-1.ama
  213. ssl_tls.c:3425: |4| 0160: 7a 6f 6e 61 77 73 2e 63 6f 6d 00 0d 00 16 00 14 zonaws.com......
  214. ssl_tls.c:3425: |4| 0170: 06 03 06 01 05 03 05 01 04 03 04 01 03 03 03 01 ................
  215. ssl_tls.c:3425: |4| 0180: 02 03 02 01 00 0a 00 18 00 16 00 19 00 1c 00 18 ................
  216. ssl_tls.c:3425: |4| 0190: 00 1b 00 17 00 16 00 1a 00 15 00 14 00 13 00 12 ................
  217. ssl_tls.c:3425: |4| 01a0: 00 0b 00 02 01 00 00 16 00 00 00 17 00 00 00 23 ...............#
  218. ssl_tls.c:3425: |4| 01b0: 00 00 ..
  219. ssl_tls.c:2755: |2| => flush output
  220. ssl_tls.c:2773: |2| message length: 434, out_left: 434
  221. ssl_tls.c:2779: |2| ssl->f_send() returned 434 (-0xfffffe4e)
  222. ssl_tls.c:2807: |2| <= flush output
  223. ssl_tls.c:3476: |2| <= write record
  224. ssl_tls.c:3320: |2| <= write handshake message
  225. ssl_cli.c:1106: |2| <= write client hello
  226. ssl_cli.c:3510: |2| client state: 2
  227. ssl_tls.c:2755: |2| => flush output
  228. ssl_tls.c:2767: |2| <= flush output
  229. ssl_cli.c:1499: |2| => parse server hello
  230. ssl_tls.c:4311: |2| => read record
  231. ssl_tls.c:2536: |2| => fetch input
  232. ssl_tls.c:2696: |2| in_left: 0, nb_want: 5
  233. ssl_tls.c:2720: |2| in_left: 0, nb_want: 5
  234. ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned -80 (-0x0050)
  235. ssl_tls.c:4973: |1| mbedtls_ssl_fetch_input() returned -80 (-0x0050)
  236. ssl_tls.c:4344: |1| ssl_get_next_record() returned -80 (-0x0050)
  237. ssl_cli.c:1506: |1| mbedtls_ssl_read_record() returned -80 (-0x0050)
  238. ssl_tls.c:8094: |2| <= handshake
  239. failed
  240. ! mbedtls_ssl_handshake returned -0x50
  241.  
  242. Last error was: -0x50 - NET - Connection was reset by peer
  243.  
  244. ssl_tls.c:8934: |2| => free
  245. ssl_tls.c:8999: |2| <= free
  246.  
  247. I request you to help me in resolving this issue.
  248.  
  249. Thanks in advance,
  250. Srinivas.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!