我正在尝试使用AWS IoT C SDK中的wolfSSL替换mbedTLS网络层。
使用mbedTLS时,SDK附带的简单subscribe_publish_sample演示可以在Linux主机上正常工作。
然而,当我用wolfSSL替换它时,我得到一个失败,错误= 42,这似乎是服务器拒绝了客户端证书......?
建立与AWS服务器的TCP连接,然后建立与wolfSSL会话关联的套接字,并将服务器的rootCA,客户端的证书和私钥添加到会话中(我删除了错误处理代码):
const int cert_container_format = SSL_FILETYPE_PEM;
WOLFSSL_METHOD * const method = wolfTLSv1_2_client_method();
hentry = gethostbyname(host_url);
memcpy(&sock_addr.sin_addr.s_addr, *hentry->h_addr_list, hentry->h_length);
sock_addr.sin_family = hentry->h_addrtype;
socket_fd = socket(sock_addr.sin_family, SOCK_STREAM, 0);
sock_addr.sin_port = htons(host_port);
connect(socket_fd, (struct sockaddr *)&sock_addr, sizeof(sock_addr));
wolfSSL_Init();
ssl_ctx = wolfSSL_CTX_new(method);
session = wolfSSL_new(ssl_ctx);
result = wolfSSL_CTX_load_verify_locations(ssl_ctx, root_ca_filepath, NULL);
result = wolfSSL_CTX_use_PrivateKey_file(ssl_ctx, dev_prvkey_filepath,
cert_container_format);
result = wolfSSL_CTX_use_certificate_file(ssl_ctx, dev_cert_filepath, cert_container_format);
wolfSSL_set_fd(session, socket_fd);
result = wolfSSL_connect(session);
以下是启用调试的完整转储:
AWS IoT SDK Version 2.1.1-
DEBUG: main L#166 rootCA /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-rootca.pem
DEBUG: main L#167 clientCRT /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-cert.pem
DEBUG: main L#168 clientKey /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-prvkey.pem
Connecting...
URL: a3i4lmgkxatoyr.iot.us-west-2.amazonaws.com
name: dualstack.iotmoonraker-u-elb-1w8qnw1336zq-1186348092.us-west-2.elb.amazonaws.com, len: 4, type: 2
alternate names:
a3i4lmgkxatoyr.iot.us-west-2.amazonaws.com
iotmoonraker.us-west-2.prod.iot.us-west-2.amazonaws.com
addresses:
52.10.19.111
52.41.23.91
34.210.178.78
35.165.44.84
52.25.57.203
35.160.71.83
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
DEBUG: iot_tls_connect L#271 root CA file: /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-rootca.pem
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Parsed new CA
Freeing Parsed CA
Freeing der CA
OK Freeing der CA
wolfSSL Leaving AddCA, return 0
Processed a CA
Processed at least one valid CA. Other stuff OK
DEBUG: iot_tls_connect L#280 dev private key file: /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-prvkey.pem
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering PemToDer
DEBUG: iot_tls_connect L#290 dev certificate file: /home/ben/git/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/aws-cert.pem
wolfSSL Entering wolfSSL_CTX_use_certificate_file
Getting dynamic buffer
wolfSSL Entering PemToDer
Checking cert signature type
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Not ECDSA cert signature
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
wolfSSL Entering SSL_connect()
Adding signature algorithms extension
growing output buffer
Signature Algorithms extension to write
Elliptic Curves extension to write
Shrinking output buffer
connect state: CLIENT_HELLO_SENT
growing input buffer
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
Put another cert into chain
Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
Unsupported name type, skipping
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
wolfSSL Entering ConfirmSignature
wolfSSL Leaving ConfirmSignature, return 0
Adding CA from chain
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
Unsupported name type, skipping
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Parsed new CA
Freeing Parsed CA
Freeing der CA
OK Freeing der CA
wolfSSL Leaving AddCA, return 0
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
wolfSSL Entering ConfirmSignature
wolfSSL Leaving ConfirmSignature, return 0
Verified Peer's cert
wolfSSL Leaving ProcessPeerCerts, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server key exchange
wolfSSL Entering DoServerKeyExchange
wolfSSL Entering EccVerify
wolfSSL Leaving EccVerify, return 0
wolfSSL Leaving DoServerKeyExchange, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate request
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello done
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
connect state: HELLO_AGAIN
connect state: HELLO_AGAIN_REPLY
connect state: FIRST_REPLY_DONE
growing output buffer
Shrinking output buffer
sent: certificate
connect state: FIRST_REPLY_FIRST
wolfSSL Entering SendClientKeyExchange
wolfSSL Entering EccMakeKey
wolfSSL Leaving EccMakeKey, return 0
wolfSSL Entering EccSharedSecret
wolfSSL Leaving EccSharedSecret, return 0
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendClientKeyExchange, return 0
sent: client key exchange
connect state: FIRST_REPLY_SECOND
wolfSSL Entering SendCertificateVerify
sent: certificate verify
connect state: FIRST_REPLY_THIRD
growing output buffer
Shrinking output buffer
sent: change cipher spec
connect state: FIRST_REPLY_FOURTH
growing output buffer
wolfSSL Entering BuildMessage
wolfSSL Leaving BuildMessage, return 0
Shrinking output buffer
sent: finished
connect state: FINISHED_DONE
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 42
wolfSSL error occurred, error = -313
ERROR: iot_tls_connect L#326 wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -313
failure creating SSL connection to server [-313]
wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
Shrinking input buffer
wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup
wolfSSL Entering wolfCrypt_Cleanup
wolfSSL Entering SSL_shutdown()
wolfSSL Entering wolfSSL_Cleanup
ERROR: main L#197 Error(-4) connecting to a3i4lmgkxatoyr.iot.us-west-2.amazonaws.com:8883
这是运行演示时的wireshark捕获:
324 43.301028126 147.34.2.16 → 134.86.9.42 DNS 546 Standard query response 0x6223 A a3i4lmgkxatoyr.iot.us-west-2.amazonaws.com CNAME iotmoonraker.us-west-2.prod.iot.us-west-2.amazonaws.com CNAME dualstack.iotmoonraker-u-elb-1w8qnw1336zq-1186348092.us-west-2.elb.amazonaws.com A 52.10.19.111 A 52.25.57.203 A 35.165.44.84 A 35.160.71.83 A 34.210.178.78 A 52.41.23.91 NS ns-560.awsdns-06.net NS ns-1475.awsdns-56.org NS ns-1
769.awsdns-29.co.uk NS ns-332.awsdns-41.com A 205.251.198.233 AAAA 2600:9000:5306:e900::1 A 205.251.193.76 AAAA 2600:9000:5301:4c00::1
325 43.301247236 134.86.9.42 → 52.10.19.111 TCP 74 40282 → 8883 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1333683979 TSecr=0 WS=128
328 43.412499273 52.10.19.111 → 134.86.9.42 TCP 66 8883 → 40282 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1360 SACK_PERM=1 WS=256
329 43.412535130 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [ACK] Seq=1 Ack=1 Win=29312 Len=0
336 43.413988506 134.86.9.42 → 52.10.19.111 SSL 196 Client Hello
339 43.414370228 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=1 Ack=143 Win=5888 Len=0
341 43.533620599 52.10.19.111 → 134.86.9.42 TCP 1414 [TCP segment of a reassembled PDU]
342 43.533659332 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [ACK] Seq=143 Ack=1361 Win=32128 Len=0
343 43.533830301 52.10.19.111 → 134.86.9.42 TLSv1.2 1283 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
344 43.533876234 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [ACK] Seq=143 Ack=2590 Win=35072 Len=0
349 43.545353568 134.86.9.42 → 52.10.19.111 TLSv1.2 66 Certificate
350 43.545651974 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2590 Ack=155 Win=5888 Len=0
351 43.552906179 134.86.9.42 → 52.10.19.111 TLSv1.2 129 Client Key Exchange
352 43.553226294 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2590 Ack=230 Win=5888 Len=0
353 43.553237461 134.86.9.42 → 52.10.19.111 TLSv1.2 60 Change Cipher Spec
354 43.553645295 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2590 Ack=236 Win=5888 Len=0
355 43.553661141 134.86.9.42 → 52.10.19.111 TLSv1.2 99 Hello Request, Hello Request
356 43.554058924 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2590 Ack=281 Win=5888 Len=0
367 43.659283864 52.10.19.111 → 134.86.9.42 TLSv1.2 61 Alert (Level: Fatal, Description: Bad Certificate)
368 43.659391034 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [FIN, ACK] Seq=281 Ack=2597 Win=35072 Len=0
369 43.659472966 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [FIN, ACK] Seq=2597 Ack=281 Win=5888 Len=0
371 43.659485750 134.86.9.42 → 52.10.19.111 TCP 54 40282 → 8883 [ACK] Seq=282 Ack=2598 Win=35072 Len=0
372 43.659701144 52.10.19.111 → 134.86.9.42 TCP 60 8883 → 40282 [ACK] Seq=2598 Ack=282 Win=5888 Len=0
使用mbedTLS时完全相同的证书/密钥。
我显然在这里遗漏了一些东西,对某些人来说可能也很明显,但我没有看到它。
(也发布在wolfSSL论坛[https://www.wolfssl.com/forums/topic1122-failure-with-alert-error-42-when-connecting-to-aws-iot.html]上,但我认为我会让观众受欢迎)
答案 0 :(得分:1)
好的,事实证明我必须在创建SSL会话之前加载certs / key ,而不是之后加载:
ssl_ctx = wolfSSL_CTX_new(method);
result = wolfSSL_CTX_load_verify_locations(ssl_ctx, root_ca_filepath, NULL);
result = wolfSSL_CTX_use_PrivateKey_file(ssl_ctx, dev_prvkey_filepath,
cert_container_format);
result = wolfSSL_CTX_use_certificate_file(ssl_ctx, dev_cert_filepath, cert_container_format);
session = wolfSSL_new(ssl_ctx);
而不是:
ssl_ctx = wolfSSL_CTX_new(method);
session = wolfSSL_new(ssl_ctx);
result = wolfSSL_CTX_load_verify_locations(ssl_ctx, root_ca_filepath, NULL);
result = wolfSSL_CTX_use_PrivateKey_file(ssl_ctx, dev_prvkey_filepath,
cert_container_format);
result = wolfSSL_CTX_use_certificate_file(ssl_ctx, dev_cert_filepath, cert_container_format);
答案 1 :(得分:0)
这很可能是未能协商使用的密码。
此主题可以帮助您解决此问题。相关部分:
“ - 313”表示服务器已向客户端发回致命警报。如果在发送ClientHello消息后发生这种情况,这很可能意味着客户端没有广播对服务器所需的密码套件或扩展的支持。
使用nmap确定亚马逊支持哪些密码套件,然后在WolfSSL中启用最佳密码套件。
nmap --script ssl-enum-ciphers -p 443 <host>