Unable to connect with AWS host url using Embedded C SDK - c

I am trying to run subscribe_publish_sample on device(ARM architecture). For this I have cross compiled the code and copied to device. Required certificates also copied to device. I am getting following error.
Please let me know for any mistake.
ERROR: iot_tls_connect L#164 failed
! mbedtls_net_connect returned -0x52
ERROR: main L#190 Error(-23) connecting to 215740087218.iot.ap-south-1.amazonaws.com:8883
Configurations :
#define AWS_IOT_MQTT_HOST "215740087218.iot.ap-south-1.amazonaws.com" ///< Customer specific MQTT HOST. The same will be used for Thing Shadow
#define AWS_IOT_MQTT_PORT 8883 ///< default port for MQTT/S
#define AWS_IOT_MQTT_CLIENT_ID "RaspberryPi" ///< MQTT client ID should be unique for every device
#define AWS_IOT_MY_THING_NAME "RaspberryPi" ///< Thing Name of the Shadow this device is associated with
#define AWS_IOT_ROOT_CA_FILENAME "rootCA.crt" ///< Root CA file name
#define AWS_IOT_CERTIFICATE_FILENAME "7256bcd191-certificate.pem.crt" ///< device signed certificate file name
#define AWS_IOT_PRIVATE_KEY_FILENAME "7256bcd191-private.pem.key" ///< Device private key filename
// =================================================
======================================================================================
Certificates copied to device :
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/certs# ls
7256bcd191-certificate.pem.crt 7256bcd191-private.pem.key 7256bcd191-public.pem.key README.txt rootCA.crt
ARN : arn:aws:iot:ap-south-1:215740087218:thing/RaspberryPi
Policy attached : arn:aws:iot:ap-south-1:215740087218:policy/RaspberrypiPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "*"
}
]
}
==============================================================================
Debug Logs for sample :
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/samples/linux/subscribe_publish_sample# ./subscribe_publish_sample
AWS IoT SDK Version 3.0.1-
DEBUG: main L#159 rootCA /home/root/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/samples/linux/subscribe_publish_sample/../../../certs/rootCA.crt
DEBUG: main L#160 clientCRT /home/root/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/samples/linux/subscribe_publish_sample/../../../certs/7256bcd191-certificate.pem.crt
DEBUG: main L#161 clientKey /home/root/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/samples/linux/subscribe_publish_sample/../../../certs/7256bcd191-private.pem.key
Connecting...
DEBUG: iot_tls_connect L#130
. Seeding the random number generator...
DEBUG: iot_tls_connect L#138 . Loading the CA root certificate ...
DEBUG: iot_tls_connect L#144 ok (0 skipped)
DEBUG: iot_tls_connect L#146 . Loading the client cert. and key...
DEBUG: iot_tls_connect L#159 ok
DEBUG: iot_tls_connect L#161 . Connecting to 215740087218.iot.ap-south-1.amazonaws.com/8883...
ERROR: iot_tls_connect L#164 failed
! mbedtls_net_connect returned -0x52
ERROR: main L#190 Error(-23) connecting to 215740087218.iot.ap-south-1.amazonaws.com:8883
telnet logs :
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/certs# telnet 215740087218.iot.ap-south-1.amazonaws.com 8883
telnet: bad address '215740087218.iot.ap-south-1.amazonaws.com'
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/certs#
ping response:
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/certs# ping 215740087218.iot.ap-south-1.amazonaws.com
ping: bad address '215740087218.iot.ap-south-1.amazonaws.com'
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/certs#
Mosquitto_sub response :
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/certs# mosquitto_sub --cafile rootCA.crt --cert 7256bcd191-certifi
cate.pem.crt --key 7256bcd191-private.pem.key -h 215740087218.iot.ap-south-1.amazonaws.com -p 8883 -q 0 -d -t sdkTest/sub -i Raspberr
yPi
Unable to connect (Lookup error.).
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/certs#

The host name you provided seems to be incorrect:
nslookup 215740087218.iot.ap-south-1.amazonaws.com
Server: 127.0.1.1
Address: 127.0.1.1#53
** server can't find 215740087218.iot.ap-south-1.amazonaws.com: NXDOMAIN
This is confirmed by the error as well (in net_socket.h from the SDK):
#define MBEDTLS_ERR_NET_UNKNOWN_HOST -0x0052 /**< Failed to get an IP address for the given hostname. */
Read AWS IoT Connecting Devices. You need to provide the endpoint specific to your account.

Related

C: client program reports SSL Certificate verify failed error with localCA

I am writing a simple TLS client/server program to securely communicate over the network. Initially I am building and running both the client and server on the same machine running RHEL 8.2.
First, I am using custom self signned ssl certificate and key for my programs. I have placed the rootCA.crt (my custom CA certificate in /root/CA/rootCA.crt). Also copied the rootCA.pem to /etc/pki/ca-trust/source/anchors/ and executed update-ca-trust enable then update-ca-trust extract to install the certificate to the system. (Not sure if I need to reboot the system for it to take effect.)
Initially, the client and server were able to communicate usint TLS untill I added the certificate validation part of the code on the client side.
Certificate Verification snippet:
ctx = SSL_CTX_new(method); /* Create new context */
if ( ctx == NULL )
{
ERR_print_errors_fp(stderr);
abort();
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_set_verify_depth(ctx, 4);
const long flags = SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 |
SSL_OP_NO_TLSv1_1 |
SSL_OP_NO_COMPRESSION;
SSL_CTX_set_options(ctx, flags);
if(SSL_CTX_load_verify_locations(ctx, NULL,
"/root/CA/") == 0){
ERR_print_errors_fp(stderr);
abort();
}
ssl = SSL_new(ctx); /* create new SSL connection state */
SSL_set_fd(ssl, server); /* attach the socket descriptor */
if ( SSL_connect(ssl) == FAIL ) /* perform the connection */
ERR_print_errors_fp(stderr);
else
{
sprintf(acClientRequest, "%s", cpRequestMessage); /* construct reply */
printf("\n\nConnected with %s encryption\n", SSL_get_ciphe
}
when I run the server and client programs I see the following error messafe =>
Onclient:
140736372886336:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915:
On Server:
140736022137664:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:1543:SSL alert number 48
Not sure, what is going wrong with the certificate validation process. Can anyone suggest me how to fix this error?
Just copying your rootCA.crt file into /root/CA/ is not enough.
SSL_CTX_load_verify_locations explicitly states that the files in this directory have to use a specific format:
If CApath is not NULL, it points to a directory containing CA
certificates in PEM format. The files each contain one CA certificate.
The files are looked up by the CA subject name hash value, which must
hence be available. If more than one CA certificate with the same name
hash value exist, the extension must be different (e.g. 9d66eef0.0,
9d66eef0.1 etc). The search is performed in the ordering of the
extension number, regardless of other properties of the certificates.
Use the c_rehash utility to create the necessary links.
Therefore make sure your rootCa.crt is in PEM format. And then generate the required hash and rename it accordingly. The following command generates the hashvalue. Rename the file to <hashvalue>.0.
openssl x509 -inform PEM -subject_hash_old -in rootCa.crt | head -1
If your code then still does not work I would first test if your code works at all. For doing so change the server URL to a real server that sues an HTTPS certificate that is already trusted on your system.

Asimbench benchmark running in gem5 fails with "fatal: Unable to find destination for [0x40008000:0x40008040] on system.iobus"

I have downloaded asimbench files which provided in the gem5.org website and I have modified the config/common/FSConfig.py with following changes:
def makeArmSystem(..)
..................
self.cf0 = CowIdeDisk(driveID='master')
self.cf2 = CowIdeDisk(driveID='master')
self.cf0.childImage(mdesc.disk())
self.cf2.childImage(disk("sdcard-1g-mxplayer.img"))
#Old platforms have a built-in IDE or CF controller. Default to
#the IDE controller if both exist. New platforms expect the
#storage controller to be added from the config script.
if hasattr(self.realview, "ide"):
#self.realview.ide.disks = [self.cf0]
self.realview.ide.disks = [self.cf0, self.cf2]
elif hasattr(self.realview, "cf_ctrl"):
#self.realview.cf_ctrl.disks = [self.cf0]
self.realview.cf_ctrl.disks = [self.cf0, self.cf2]
else:
self.pci_ide = IdeController(disks=[self.cf0])
pci_devices.append(self.pci_ide
I used this command:
./build/ARM/gem5.opt configs/example/fs.py --mem-size=8192MB
--disk-image=/home/yaz/gem5/full_system_images/disks/ARMv7a-ICS-Android.SMP.Asimbench-v3.img
--kernel=/home/yaz/gem5/full_system_images/binaries/vmlinux.smp.ics.arm.asimbench.2.6.35
--os-type=android-ics --cpu-type=MinorCPU --machine-type=VExpress_GEM5 --script=/home/yaz/gem5/full_system_images/boot/adobe.rcS
warn: CheckedInt already exists in allParams. This may be caused by
the Python 2.7 compatibility layer. warn: Enum already exists in
allParams. This may be caused by the Python 2.7 compatibility layer.
warn: ScopedEnum already exists in allParams. This may be caused by
the Python 2.7 compatibility layer. gem5 Simulator System.
http://gem5.org gem5 is copyrighted software; use the --copyright
option for details. gem5 version 20.0.0.3 gem5 compiled Jul 7 2020
16:17:12 gem5 started Jul 16 2020 04:41:50 gem5 executing on
yazeed-OptiPlex-9010, pid 3367 command line: ./build/ARM/gem5.opt
configs/example/fs.py --mem-size=8192MB
--disk-image=/home/yaz/gem5/full_system_images/disks/ARMv7a-ICS-Android.SMP.Asimbench-v3.img
--kernel=/home/yaz/gem5/full_system_images/binaries/vmlinux.smp.ics.arm.asimbench.2.6.35
--os-type=android-ics --cpu-type=MinorCPU --machine-type=VExpress_GEM5 --script=/home/yaz/gem5/full_system_images/boot/adobe.rcS
Global frequency set at 1000000000000 ticks per second
warn: No dot file generated. Please install pydot to generate the dot file and pdf.
info: kernel located at: /home/yaz/gem5/full_system_images/binaries/vmlinux.smp.ics.arm.asimbench.2.6.35
system.vncserver: Listening for connections on port 5900
system.terminal: Listening for connections on port 3456
system.realview.uart1.device: Listening for connections on port 3457
system.realview.uart2.device: Listening for connections on port 3458
system.realview.uart3.device: Listening for connections on port 3459
0: system.remote_gdb: listening for remote gdb on port 7000 info:
Using bootloader at address 0x80000000
info: Using kernel entry physical address at 0x140008000 warn: DTB file specified, but no
device tree support in kernel
**** REAL SIMULATION ****
warn:Existing EnergyCtrl, but no enabled DVFSHandler found. info: Entering
event queue # 0. Starting simulation...
fatal: Unable to find destination for [0x40008000:0x40008040] on system.iobus
Memory Usage: 8786764 KBytes
Thanks for helping

Unable to log into docker container syslog file

In a component test, I make a C binary and test it thanks to pytest.
In the C binary I use syslog.h in order to log what happens.
Howewer there is no syslog file in /var/log/ in container, and no information in syslog on host
I have tried to run rsyslog as a service in the container and several rsyslog.conf configuration.
Also I have edited the docker deamon.json to use the syslog service
#pytest.fixture(scope="session")
def generator():
process = subprocess.Popen(["./build/bin/myBinqry","-v"])
yield process
process.terminate()
/* myBinary */
int main(int argc, char **argv)
{
openlog("myBinary", logoptions, LOG_DAEMON);
syslog(LOG_NOTICE, "Service is starting...");
}
I expected syslog entries either on host or on container /var/log but there is nothing
The problem was :
the service rsyslog was not launched
root#xxx:/var/log# service rsyslog restart
[ ok ] Stopping enhanced syslogd: rsyslogd already stopped.
[ ok ] Starting enhanced syslogd: rsyslogd.

Openssl: SSL_CTX_set_ecdh_auto() return failure

At the moment my openssl version is
OpenSSL 1.0.2h 3 May 2016
I use an example code offered by openssl Simple_TLS_Server to start a server and use s_client to send tls handshake. The server returned error like this:
139629255337616:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1349
And the s_client returned:
CONNECTED(00000003)
140266915485328:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1471879558
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
After reading this Manual:SSL_CTX_set1_curves(3), i modified some lines of the original:
if(!SSL_CTX_set_ecdh_auto(ctx, 1))
{
fprintf(stderr, "Error: SSL_CTX_set_ecdh_auto(ctx, 1)\n");
}
When i restarted the Simple_TLS_Server, it prints
Error: SSL_CTX_set_ecdh_auto(ctx, 1)
Also tried like this:
if(!SSL_CTX_set_ecdh_auto(ctx, 1))
{
ERR_print_errors_fp(stderr);
}
But there was no available error message.
Does anyone know how could this happen? If you require more information, please just let me know.
PS: i tried certificates and keys with s_server and s_client, that worked fine.
Does anyone know how could this happen?
According to the source code the only cases where SSL_CTX_set_ecdh_auto return 0 is when the openssl library was compiled without support for ECDH (OPENSSL_NO_ECDH) or without support for elliptic curves at all (OPENSSL_NO_EC).

snmptrap IPv6 destination not working

I compile snmptrap as a "stand alone" application to run on an enbedded device.
Sending trap with IPv4 works like a charm, but when using an IPv6 address as the destination, the following is showing in the logs:
tdomain: tdomain_transport_full("snmptrap", "udp6:[fd64:3ef5:bb33::2]", 0, "[NIL]", "[NIL]")
tdomain: Found no domain from specifier "udp6"
I compiled my net-snmp (v5.7.2) libraries with
--enable-ipv6
--with-mib-modules="mibII/ipv6 host notification snmpv3mibs"
--with-transports="UDPIPv6 TCPIPv6"
And excecute the commandline app as:
snmptrap -v 1 -M ./mibs/ -c public 'udp6:[fd64:3ef5:bb33::2]' '1.2.
3.4.5.6' '172.16.11.144' 6 99 '55' 1.11.12.13.14.15 s "teststring"
Can anyone point me in the right direction for solving this?
Cheers,
Frank
Make sure the Ipv6[fd64:3ef5:bb33::2] address is reachable, and you have successfully compiled the net-snmp library using --ipv6 enable,
After compilation you have instructed the snmpd to use both udp and udp6 protocol.
you can debug the SNMP protocol using Wireshark
Alternately you can try other client as well to send the IPv6 pdu to make sure your client is sending the right data.

Resources