Page 1 of 2

AWS IoT and HTTPS are mutually failed

Posted: Thu Dec 27, 2018 6:34 am
by samsonch
I am running AWS IoT and HTTPS simultaneously and they do not work at the same time. AWS IoT worked great if I didn't start another HTTPS session, so did HTTPS. If I got both running together, I got the following errors:

E (320154) esp-tls: mbedtls_ssl_handshake returned -0x2700
E (320164) esp-tls: Failed to open new connection
E (320164) TRANS_SSL: Failed to open a new connection
E (320164) HTTP_CLIENT: Connection failed, sock < 0
E (320174) HTTPS_CLIENT: Error perform http request ESP_ERR_HTTP_CONNECT
W (332144) mbedtls: ssl_tls.c:5713 x509_verify_cert() returned -9984 (-0x2700)

Am I missing anything or that is the limitation of ESP32?

Samson

Re: AWS IoT and HTTPS are mutually failed

Posted: Thu Dec 27, 2018 10:34 am
by chegewara

Re: AWS IoT and HTTPS are mutually failed

Posted: Thu Dec 27, 2018 4:13 pm
by samsonch
Hello chegewara,

Thank you for pointing some directions. I went some of the discussions and tried somethings. I still could not get it working. If you don't mind, could you give me some more specific hints? Thank you so much.

Samson

Re: AWS IoT and HTTPS are mutually failed

Posted: Fri Dec 28, 2018 8:04 pm
by chegewara
error you get from mbedtls is self explanatory.
You have incorrect certificate or your certificate is not activated in aws IoT.

transport_tls and mbedtls do not support concurrent SSL sessions if there is more than one domain destinations

Posted: Wed Jan 02, 2019 11:03 am
by samsonch
AWS IOT SDK has nothing to do with this problem. The current ESP32 transport_tls and mbedtls simply do not support concurrent sessions when there is more than one SSL destination. If you create two HTTPS sessions going to two different HTTPS destinations (different destination domains and certificates), only the first one can be established. The second one will fail.

Samson

Re: transport_tls and mbedtls do not support concurrent SSL sessions if there is more than one domain destinations

Posted: Thu Jan 03, 2019 2:21 am
by ESP_Angus
samsonch wrote:
Wed Jan 02, 2019 11:03 am
AWS IOT SDK has nothing to do with this problem. The current ESP32 transport_tls and mbedtls simply do not support concurrent sessions when there is more than one SSL destination. If you create two HTTPS sessions going to two different HTTPS destinations (different destination domains and certificates), only the first one can be established. The second one will fail.
This should not be true. Is it possible you're accidentally passing the wrong certificate to one of the sessions? (If they're embedded in the binary, they'll each need to have different names.)

If that's not it, is it possible for you to please post a full project (or as much of it as possible) somewhere?

Re: AWS IoT and HTTPS are mutually failed

Posted: Thu Jan 03, 2019 5:48 am
by chegewara
I have opposite situation. I have AWS IoT app and i am sending https url to my app to start OTA update and it works without CA cert. To OTA update i am using basically native OTA example:

Code: Select all

    esp_http_client_config_t config = {
        .url = (char*)pvParameter,
        // .cert_pem = (char *)server_cert_pem_start,
    };
    esp_http_client_handle_t client = esp_http_client_init(&config);
    if (client == NULL) {
        ESP_LOGE(TAG, "Failed to initialise HTTP connection");
        task_fatal_error();
    }
    err = esp_http_client_open(client, 0);
    if (err != ESP_OK) {
        ESP_LOGE(TAG, "Failed to open HTTP connection: %s", esp_err_to_name(err));
        esp_http_client_cleanup(client);
        task_fatal_error();
    }
I am using server with letsencrypt certificate and it works without issue.

Re: AWS IoT and HTTPS are mutually failed

Posted: Thu Jan 03, 2019 6:15 am
by ESP_Angus
chegewara wrote:
Thu Jan 03, 2019 5:48 am
I have opposite situation. I have AWS IoT app and i am sending https url to my app to start OTA update and it works without CA cert.
If the cert_pem field of esp_http_client_config_t is NULL then certificate validation is disabled.

Will update the docs to make this clear.

Re: AWS IoT and HTTPS are mutually failed

Posted: Thu Jan 03, 2019 6:19 am
by chegewara
ESP_Angus wrote:
Thu Jan 03, 2019 6:15 am
If the cert_pem field of esp_http_client_config_t is NULL then certificate validation is disabled.

Will update the docs to make this clear.
Thats change in API i missed, thanks for clarification. I will try to add certificate to see if i have the same issue that OP.

EDIT i can confirm it works for me with native ota over https + aws IoT

Re: transport_tls and mbedtls do not support concurrent SSL sessions if there is more than one domain destinations

Posted: Thu Jan 03, 2019 4:16 pm
by samsonch
ESP_Angus wrote:
Thu Jan 03, 2019 2:21 am
samsonch wrote:
Wed Jan 02, 2019 11:03 am
AWS IOT SDK has nothing to do with this problem. The current ESP32 transport_tls and mbedtls simply do not support concurrent sessions when there is more than one SSL destination. If you create two HTTPS sessions going to two different HTTPS destinations (different destination domains and certificates), only the first one can be established. The second one will fail.
This should not be true. Is it possible you're accidentally passing the wrong certificate to one of the sessions? (If they're embedded in the binary, they'll each need to have different names.)

If that's not it, is it possible for you to please post a full project (or as much of it as possible) somewhere?
I am pretty sure I was passing the correct certificate to the right session. If I put a semaphore to make the two sessions running exclusively, each session worked great. I will see if I could make a small project to simulate this.