Topic: Amazon IoT Example

Am I correct in stating that the Amazon AWS IoT example included with wolfMQTT does not work as is since it makes no wolfSSL function calls to encrypt the connection?  (The connect() call on my embedded platform only times out...)

Share

Re: Amazon IoT Example

I apologize; I see there ARE wolfSSL calls deeper in the code, I'm just not getting there as I am stuck on the first connect() which times out after 3 minutes. 

Doesn't the initial connection need to be encrypted; why is the example code connecting to AWS IoT with an un-encrypted connection first before calling wolfSSL_connect()?  Thank you.

Share

Re: Amazon IoT Example

Hi Kackle123,

For TLS the socket must be open first then the call to wolfSSL_connect(). If you are having trouble getting past the socket `connect()` that indicates a network level problem. Have you verified you can reach the host? Can you provide some additional information on the platform you are using and how you are building it?

If you are building wolfMQTT for AWS you'll need to make sure TLS support is enabled either using `./configure --enable-tls` or `#define ENABLE_MQTT_TLS`.

Thanks,
David Garske, wolfSSL

Share

Re: Amazon IoT Example

Hello David,
I am building on an NXP/Freescale "Freedom Board".  Amazon's AWS' IoT service sees that I am trying to connect, but that access is denied (shown in the AWS logs).

When you say that the socket must be open, you mean "connected to the AWS server", THEN the wolfSSL_connect() is called to form an encrypted connection?  I'm not getting past that first unencrypted connection step.  I have used MQX's connect() before without trouble.  If what you say is correct, then I would think AWS should accept any connection at first.  Do you have any thoughts?

Share

Re: Amazon IoT Example

Hi Kackle123,

If your AWS log shows access denied, then your socket connect() has already occurred and you've entered into the TLS handshake. AWS uses TLS mutual authentication, which requires the device (client) also present a certificate for authentication. Those client certificates are generated by AWS or you can load your own CA and sign them yourself.

See our example here:
https://github.com/wolfSSL/wolfMQTT/blo … iot.c#L193

http://docs.aws.amazon.com/iot/latest/d … ntity.html

To better support this it would be helpful to turn on wolfSSL debugging logs and capture a wireshark trace and send that over. You can email support@wolfssl.com and reference this forum case if you want to keep it confidential.

For logs you need to define `DEBUG_WOLFSSL` and call `wolfSSL_Debugging_ON();` prior to `wolfSSL_Init();`.

Thanks,
David Garske, wolfSSL

Share

Re: Amazon IoT Example

I don't think I'm getting to the wolfSSL_connect() - I put a print statement immediately after the initial MQX connect() and it only prints after the connect()'s default timeout of 3 minutes is reached (blocked).  When I change connect()'s timeout to 10 seconds, then the print statement executes at 10 seconds.  Unless some sort of background print threading/blocking is going on that I'm unaware of...

I am aware of how AWS requires certificates, etc., as I have successfully connected/subscribed before using mbed's AWS example and TLS.  I'm just trying to replicate that in the wolf/MQX environment.

Does wolfSSL_connect() use the regular connect() in the background?  That might explain what I'm seeing, perhaps.  I can try the wolfSSL's debugging and see what Wireshark reveals.  Thank you.

Share

Re: Amazon IoT Example

Hi kackle123,

Your description of the issue sounds like an MQX networking problem. Perhaps take a step back and setup a simple TCP socket client example to validate your networking functionality would be good.

The wolfSSL library does not handle socket connect or disconnect. With a typical TLS implementation the socket is created and host connected, then `wolfSSL_set_fd()` is called so the wolf IO layer knows the socket descriptor handle to read()/write(). The wolfMQTT library uses the `WOLFSSL_USER_IO` define to enable setting IO callbacks using wolfSSL_SetIORecv() and wolfSSL_SetIOSend(), which handle the read/write inside the wolfMQTT application.

See this code sections for details:
https://github.com/wolfSSL/wolfMQTT/blo … ket.c#L302

The `MqttSocket_Connect()` function first opens the socket using the defined net->connect callback function, then sets up the WOLFSSL object and calls `wolfSSL_connect()`.

If you can send over any logs, code changes or wireshark trace, those will help in understanding the problem.

Thanks,
David Garske, wolfSSL

Share

Re: Amazon IoT Example

I have to admit, I didn't think I'd see anything via Wireshark, but I saw that it was trying to connect to the wrong port.  I think MQX's (v4.2) htons() is broken (used by your "mqttnet.c"), swapping bytes when it's not supposed to.  Once the htons() was removed, the code connected securely to AWS' IoT gateway.  Thank you for your help.

Share

Re: Amazon IoT Example

Hi Kackle123,

That's excellent you got it working! Thanks for sending that information. I'll look into the use of `htons` for MQX in the wolfMQTT examples and see if I can fix that.

Thanks,
David Garske, wolfSSL

Share

Re: Amazon IoT Example

I'm not sure I'd bother "fixing" your code for MQX v4.2 since your code is handling it properly: htons() and similar functions SHOULD be used when communicating over a network, as far my familiarity with it goes. 

I could report the MQX issue to whomever owns the problem this year, but it seems like they're already onto their next OS du jour.  (Maybe you can add some cautionary code comment next to your connect() call?  I don't know...)  Thank you again for your help.

Share