1 (edited by srikbn 2019-03-28 06:40:16)

Topic: Using WolfMQTT and Wolfssl connecting to AWS

Hi,
Am trying to connect from Embedded platform to AWS IOT MQTT broker
and getting below error

00> wolfSSL Leaving SendClientHello, return 0
00> connect state: CLIENT_HELLO_SENT
00> MQTT:I: Read 5 buffer size
00> ETHERNET:I: Transmit Completed
00> ETHERNET:I: Data not available
00> ETHERNET:I: Transmit Completed
00> ETHERNET:I: Read socket data size 5
00> MQTT:I: WolfMQTT Read Data Successfully
00> Cipher AES128-SHA:AES256-SHA:HC128-SHA:AES128-SHA256:AES256-SHA256:AES128-GCM-SHA256
00> growing input buffer
00>
00> MQTT:I: Read 5000 buffer size
00> ETHERNET:I: Transmit Completed
00> ETHERNET:I: Read socket data size 1024
00> MQTT:I: WolfMQTT Read Data Successfully
00> ETHERNET:I: Transmit Completed
00> ETHERNET:I: Read socket data size 1024
00> MQTT:I: WolfMQTT Read Data Successfully
00> ETHERNET:I: Transmit Completed
00> ETHERNET:I: Read socket data size 1024
00> MQTT:I: WolfMQTT Read Data Successfully
00> ETHERNET:I: Transmit Completed
00> ETHERNET:I: Read socket data size 1024
00> MQTT:I: WolfMQTT Read Data Successfully
00> ETHERNET:I: Transmit Completed
00> ETHERNET:I: Read socket data size 904
00> MQTT:I: WolfMQTT Read Data Successfully
00> Cipher AES128-SHA:AES256-SHA:HC128-SHA:AES128-SHA256:AES256-SHA256:AES128-GCM-SHA256
00> received record layer msg
00> wolfSSL Entering DoHandShakeMsg()
00> wolfSSL Entering DoHandShakeMsgType
00> processing server hello
00> wolfSSL Entering DoServerHello
00> wolfSSL Entering VerifyClientSuite
00> wolfSSL Leaving DoServerHello, return 0
00> wolfSSL Leaving DoHandShakeMsgType(), return 0
00> wolfSSL Leaving DoHandShakeMsg(), return 0
00> More messages in record
00> received record layer msg
00> wolfSSL Entering DoHandShakeMsg()
00> wolfSSL Entering DoHandShakeMsgType
00> processing certificate
00> wolfSSL Entering DoCertificate
00> wolfSSL Entering ProcessPeerCerts
00> Loading peer's cert chain
00> Put another cert into chain
00> wolfSSL Leaving ProcessPeerCerts, return -328
00> wolfSSL Leaving DoCertificate, return -328
00> wolfSSL Leaving DoHandShakeMsgType(), return -328
00> wolfSSL Leaving DoHandShakeMsg(), return -328
00> wolfSSL error occurred, error = -328
00> wolfSSL Entering SSL_get_error
00> wolfSSL Leaving SSL_get_error, return -328
00> wolfSSL Entering SSL_free
00> CTX ref count not 0 yet, no free
00> Shrinking input buffer
00>
00> wolfSSL Leaving SSL_free, return 0
00> wolfSSL Entering SSL_CTX_free
00> CTX ref count down to 0, doing full free
00> wolfSSL Entering wolfSSL_CertManagerFree
00> wolfSSL Leaving SSL_CTX_free, return 0
00> wolfSSL Entering wolfSSL_Cleanup
00> wolfSSL Entering wolfCrypt_Cleanup
00> ETHERNET:I: AT Command Sent: +++ ETHERNET:I: Transmit Completed
00> ETHERNET:I: AT Command Timeout
00> ERROR: Cannot Close Socket
00> ERROR: WolfMQTT Connection Close Failed
00> MQTT:I: MQTT Socket Connect:Error (Network) ret code -8
00> ERROR: WolfMQTT Connect Failed -8
00> wolfSSL Leaving DoHandShakeMsg(), return 0
00> More messages in record
00> received record layer msg
00> wolfSSL Entering DoHandShakeMsg()
00> wolfSSL Entering DoHandShakeMsgType
00> processing certificate
00> wolfSSL Entering DoCertificate
00> wolfSSL Entering ProcessPeerCerts
00> Loading peer's cert chain
00> Put another cert into chain
00> wolfSSL Leaving ProcessPeerCerts, return -328
00> wolfSSL Leaving DoCertificate, return -328
00> wolfSSL Leaving DoHandShakeMsgType(), return -328
00> wolfSSL Leaving DoHandShakeMsg(), return -328
00> wolfSSL error occurred, error = -328
00> wolfSSL Entering SSL_get_error
00> wolfSSL Leaving SSL_get_error, return -328
00> wolfSSL Entering SSL_free
00> CTX ref count not 0 yet, no free
00> Shrinking input buffer
00>
00> wolfSSL Leaving SSL_free, return 0
00> wolfSSL Entering SSL_CTX_free
00> CTX ref count down to 0, doing full free
00> wolfSSL Entering wolfSSL_CertManagerFree
00> wolfSSL Leaving SSL_CTX_free, return 0
00> wolfSSL Entering wolfSSL_Cleanup
00> wolfSSL Entering wolfCrypt_Cleanup
00> ETHERNET: AT Command Sent: +++ ETHERNET: Transmit Completed
00> ETHERNET:I: AT Command Timeout
00> ERROR: Cannot Close Socket
00> ERROR: WolfMQTT Connection Close Failed
00> MQTT:I: MQTT Socket Connect:Error (Network) ret code -8
00> ERROR: WolfMQTT Connect Failed -8

Share

2 (edited by Kaleb J. Himes 2019-03-12 15:12:12)

Re: Using WolfMQTT and Wolfssl connecting to AWS

Hi srikbn,

Can you capture a wireshark trace of the connection so we can see the certs coming back from the server? The -328 is a malformed buffer error indicating there is an issue with the cert. If you can capture a wireshark trace and send it to us we can check to see if the cert is corrupted in any way or if the cipher suite list (which is ONLY static cipher suites) is causing an issue with the cert chain in question.

Can you also send us the build options you are using?


- K

Re: Using WolfMQTT and Wolfssl connecting to AWS

Hi Kaleb,
         Was not able work on this , so delayed response.
You were correct, this issue was network layer was corrupting the server certificates due to buffer size issue.
Now below is the issue "
00> There are more CRL Distribution Point records, but we only use the first one.
00> fail: should be a SEQUENCE
00> Got Peer cert ASN PARSE or BUFFER ERROR
00> wolfSSL Leaving ProcessPeerCerts, return -140
00> wolfSSL Leaving DoCertificate, return -140
00> wolfSSL Leaving DoHandShakeMsgType(), return -140"



00> MQTT:I: WolfMQTT Read Data Successfully
00> received record layer msg
00> wolfSSL Entering DoHandShakeMsg()
00> wolfSSL Entering DoHandShakeMsgType
00> processing server hello
00> wolfSSL Entering DoServerHello
00> wolfSSL Entering VerifyClientSuite
00> wolfSSL Leaving DoServerHello, return 0
00> wolfSSL Leaving DoHandShakeMsgType(), return 0
00> wolfSSL Leaving DoHandShakeMsg(), return 0
00> More messages in record
00> received record layer msg
00> wolfSSL Entering DoHandShakeMsg()
00> wolfSSL Entering DoHandShakeMsgType
00> processing certificate
00> wolfSSL Entering DoCertificate
00> wolfSSL Entering ProcessPeerCerts
00> Loading peer's cert chain
00> Put another cert into chain totalSz:-2795,list size:-1179, Certificate Size:-1610,certiciate Number 1
00> Put another cert into chain totalSz:-2795,list size:-0, Certificate Size:-1176,certiciate Number 2
00> wolfSSL Entering GetExplicitVersion
00> wolfSSL Entering GetSerialNumber
00> Got Cert Header
00> wolfSSL Entering GetAlgoId
00> wolfSSL Entering GetObjectId()
00> Got Algo ID
00> Getting Cert Name
00> Getting Cert Name
00> Got Subject Name
00> wolfSSL Entering GetAlgoId
00> wolfSSL Entering GetObjectId()
00> Got Key
00> Parsed Past Key
00> wolfSSL Entering DecodeCertExtensions
00> fail: should be an EXTENSIONS
00> Failed to verify CA from chain
00> wolfSSL Entering ERR_error_string
00> MQTT:I: MQTT TLS Verify Callback: PreVerify 0, Error -140 (ASN parsing error, invalid input)
00> MQTT:I: Subject's domain name is DigiCert SHA2 Secure Server CA
00> ERROR: Allowing cert anyways
00> Verify callback overriding error!
00> Verifying Peer's cert
00> wolfSSL Entering GetExplicitVersion
00> wolfSSL Entering GetSerialNumber
00> Got Cert Header
00> wolfSSL Entering GetAlgoId
00> wolfSSL Entering GetObjectId()
00> Got Algo ID
00> Getting Cert Name
00> Getting Cert Name
00> Got Subject Name
00> wolfSSL Entering GetAlgoId
00> wolfSSL Entering GetObjectId()
00> Got Key
00> Parsed Past Key
00> wolfSSL Entering DecodeCertExtensions
00> wolfSSL Entering GetObjectId()
00> wolfSSL Entering DecodeAuthKeyId
00> wolfSSL Entering GetObjectId()
00> wolfSSL Entering DecodeSubjKeyId
00> wolfSSL Entering GetObjectId()
00> wolfSSL Entering DecodeAltNames
00> wolfSSL Entering GetObjectId()
00> wolfSSL Entering DecodeKeyUsage
00> wolfSSL Entering GetObjectId()
00> DecodeExtKeyUsage
00> wolfSSL Entering GetObjectId()
00> wolfSSL Entering GetObjectId()
00> wolfSSL Entering GetObjectId()
00> wolfSSL Entering DecodeCrlDist
00> There are more CRL Distribution Point records, but we only use the first one.
00> fail: should be a SEQUENCE
00> Got Peer cert ASN PARSE or BUFFER ERROR
00> wolfSSL Leaving ProcessPeerCerts, return -140
00> wolfSSL Leaving DoCertificate, return -140
00> wolfSSL Leaving DoHandShakeMsgType(), return -140
00> wolfSSL Leaving DoHandShakeMsg(), return -140
00> wolfSSL error occurred, error = -140
00> wolfSSL Entering SSL_get_error
00> wolfSSL Leaving SSL_get_error, return -140
00> wolfSSL Entering SSL_free
00> CTX ref count not 0 yet, no free
00> Shrinking input buffer

Share