[lwip-devel] [bug #60078] MQTTS : Support SNI extension needed for some

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #60078] MQTTS : Support SNI extension needed for some

From:	Roger Sala
Subject:	[lwip-devel] [bug #60078] MQTTS : Support SNI extension needed for some cloud
Date:	Fri, 8 Sep 2023 14:47:58 -0400 (EDT)

Follow-up Comment #1, bug #60078 (project lwip):

I am developing a AWS IoT MQTT client on STM32H723 using FreeRTOS 10.3.1, LwIP
2.1.2 and MbedTLS 2.28.4. Through debugging and looking at Wireshark captures,
it appears that this client is successfully completing the TLS handshake:

Time,Source,Destination,Protocol,Length,Info
0,10.0.0.11,54.156.47.148,TLSv1.2,336,Client Hello
0.016360719,54.156.47.148,10.0.0.11,TLSv1.2,150,Server Hello
0.001577507,54.156.47.148,10.0.0.11,TLSv1.2,685,Certificate
0.00001705,54.156.47.148,10.0.0.11,TLSv1.2,438,"Server Key Exchange,
Certificate Request, Server Hello Done"
2.518046294,10.0.0.11,54.156.47.148,TLSv1.2,1329,"Certificate, Client Key
Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message"
0.015707564,54.156.47.148,10.0.0.11,TLSv1.2,60,Change Cipher Spec
0.000007277,54.156.47.148,10.0.0.11,TLSv1.2,99,Encrypted Handshake Message

... and then when it attempts to connect ...

0.001473909,10.0.0.11,54.156.47.148,TLSv1.2,193,Application Data
0.022366332,54.156.47.148,10.0.0.11,TLSv1.2,85,Encrypted Alert

... the IoT broker issues an encrypted alert which I believe to be a TLS
close_notify, because it is followed by a TCP FIN shortly afterwards. I've
confirmed in the debugger that the penultimate "Application Data" packet is in
fact the MQTT connect.

I've been through all the AWS troubleshooting guides and my certificates are
all good and I have my policy sent to --

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action":
"iot:", "Resource": "" } ] }

-- such that I can connect and publish to it with mosquitto_pub using any
random client ID and topic. Furthermore this client can connect to a local
mosquitto broker that I have set up and the decrypted disection of the
Wireshark capture of the success MQTT connect looks to be in order.

Failures that take place before a MQTT connect are not included in the AWS
logs so I'm at a loss. Is the reason I'm not able to connect due to the fact
that I'm not including the SNI?



    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?60078>

_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #60078] MQTTS : Support SNI extension needed for some cloud, Roger Sala <=
- Message not available
  - [lwip-devel] [bug #60078] MQTTS : Support SNI extension needed for some cloud, Roger Sala, 2023/09/08

Prev by Date: [lwip-devel] [bug #64638] "iperf -r" does not work for all "-M"
Next by Date: [lwip-devel] [bug #60078] MQTTS : Support SNI extension needed for some cloud
Previous by thread: [lwip-devel] [bug #64638] "iperf -r" does not work for all "-M"
Next by thread: [lwip-devel] [bug #60078] MQTTS : Support SNI extension needed for some cloud
Index(es):
- Date
- Thread