Why am I getting SSL errors/disconnects on a fresh out-of-the-box IOT EVAL KIT?

Mark Symmes · ‎2018-07-16

Posted on July 16, 2018 at 20:07

I have just powered up the STM IOT DISCOVERY NODE board B-L475E-IOTA2.

It connects to my AWS IOT endpoint and then gets disconnected immediately and the USB Virtual Serial Console show many, many errors.

1. Attached is a log of the entire sequence from the console.

2. Here is my event log as created by a custom lambda function that I use in the AWS IOT ACT sections

Event 1:

{

'principalIdentifier': 'b30893ac3d6ca2a9abaceaae005f9c55293343fde8b5e633eee342621fd045f2',

'timestamp': 1531764176425,

'sessionIdentifier': '7e5f7933-1106-4f18-a599-8aa1653fa897',

'clientId': 'STM32',

'eventType': 'connected'

}

Event 2:

{

'timestamp': 1531764176995,

'clientId': 'STM32',

'sessionIdentifier': '7e5f7933-1106-4f18-a599-8aa1653fa897',

'eventType': 'disconnected',

'principalIdentifier': 'b30893ac3d6ca2a9abaceaae005f9c55293343fde8b5e633eee342621fd045f2',

'clientInitiatedDisconnect': false

}

3. Here is the output of an openssl test run on a linux box:

♯ openssl s_client -connect ag5td4i5bbh9e.iot.us-east-1.amazonaws.com:8883 \

-tls1_2 -CAfile aws_root_ca.pem -cert b30893ac3d-certificate.pem.crt -key b30893ac3d-private.pem.key

CONNECTED(00000003)

verify return:1

depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4

verify return:1

depth=0 C = US, ST = Washington, L = Seattle, O = 'Amazon.com, Inc.', CN = *.iot.us-east-1.amazonaws.com

verify return:1

---

Certificate chain

0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.us-east-1.amazonaws.com

i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4

1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIGGjCCBQKgAwIBAgIQLnQIWjfERfw1k/3WWKINNTANBgkqhkiG9w0BAQsFADB+

MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd

...redacted...

EudlMhIxRFh9vGtdeEtiGyWiysk+El47beznoRT9fmJUHoxgKgsznbc2K0STY5hK

05vnq6DeWRLXoQYZoJm9ysbfVsRx9QB3YRy0C79Cie5bvmO7ib2sQ0OdfB42eg+v

I9KM/MH7QgMiCeHVBnoxdysrLBF9cyGt3MJHwzVi

-----END CERTIFICATE-----

subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.us-east-1.amazonaws.com

issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4

---

No client certificate CA names sent

Client Certificate Types: RSA sign, DSA sign, ECDSA sign

Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1

Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 3431 bytes and written 1576 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID: 5B4CDA304BA0D786F1BC36C9C5E1EDE0F7BC5503CAAAF0E31217B38C3F685E1B

Session-ID-ctx:

Master-Key: 4B14DA7D355E76C88BF0D0B83AD4656F376DA631103F3E5F0EC9178766A4E47754AC6614B6075824511AEE7B4E83CE85

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1531763248

Timeout : 7200 (sec)

Verify return code: 0 (ok)

---

#iot-node #b-l475e-iot01