IoT SDK MQTT SSL problem

LBaba · ‎10-13-2015

Hi Everybody,

I have just joined and started playing with Intel Edison and AWS IoT SDK.

The last steps in the tutorial should make a secured MQTT connection to AWS IoT service but the openSSL refuses the connection with an SSL3 error.

When I installed the latest firmware I got the following warning:

InsecurePlatformWarning: A true SSLContext object is not available.

This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail.

For more information, see https://urllib3.readthedocs.org/en/latest/security.html# insecureplatformwarning https://urllib3.readthedocs.org/en/latest/security.html# insecureplatformwarning.

Checking the link above:

Certain Python platforms (specifically, versions of Python earlier than 2.7.9) have restrictions in their ssl module that limit the configuration that urllib3 can apply. In particular, this can cause HTTPS requests that would succeed on more featureful platforms to fail, and can cause certain security features to be unavailable.

If you encounter this warning, it is strongly recommended you upgrade to a newer Python version, or that you use pyOpenSSL as described in the https://urllib3.readthedocs.org/en/latest/security.html# pyopenssl OpenSSL / PyOpenSSL section.

and I also found this in the Yocto project manual:

5.7.4. SSL 3.0 is Now Disabled in OpenSSLhttp://www.yoctoproject.org/docs/1.8/ref-manual/ref-manual.html# migration-1.8-ssl ¶

SSL 3.0 is now disabled when building OpenSSL. Disabling SSL 3.0 avoids any lingering instances of the POODLE vulnerability. If you feel you must re-enable SSL 3.0, then you can add an append file (*.bbappend) for the openssl recipe to remove "-no-ssl3" from http://www.yoctoproject.org/docs/1.8/ref-manual/ref-manual.html# var-EXTRA_OECONF EXTRA_OECONF.

I think this causes my problem. Is there anybody who can provide me an updated image with SSL3 support for Edison?

Carlos_M_Intel · ‎10-14-2015

Hi lbabaly,

When you run configure_edison –version, are you getting 159 as result?

After following the steps from https://software.intel.com/en-us/articles/setup-aws-iot-intel-edison-board IoT - Setting up AWS IoT Thing SDK on the Intel® Edison Board | Intel® Developer Zone, did you have problems? Were you able to run all those commands and install all the requirements?

Have you tried to build your own image by following those instructions?

..you can add an append file (*.bbappend) for the openssl recipe to remove "-no-ssl3" from http://www.yoctoproject.org/docs/1.8/ref-manual/ref-manual.html# var-EXTRA_OECONF EXTRA_OECONF...

Regards,

Charlie

LBaba · ‎10-15-2015

Hi Charlie,

Yes, I have the latest version 159.

I followed the steps and everything worked fine until the last two commands with mosquitto. I got the following error:

root@myEdison:~# mosquitto_sub --cafile rootCA.pem --cert cert.pem --key privateKey.pem -h .iot.us-east-1.amazonaws.com -p 8883 -q 1 -d -t topic/test -i clientid1

Client clientid1 sending CONNECT

OpenSSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Error: Protocol error

Unfortunately, I'm not so familiar with Linux at the moment to create my own build but I'm working on improving it. Anyway I was expecting that this IoT tutorial should have worked with the latest image without making my own one.

Carlos_M_Intel · ‎10-19-2015

Hi lbabaly,

I'm going to investigate about this and replicate the issue in order to help you with this. Have you done another change in your image? Have you installed something else in the board or is this the only changes you have done?

Kind regards,

Charlie

LBaba · ‎10-22-2015

Hi Charlie,

I haven't installed any additional software. I just followed this step-by-step tutorial:

https://software.intel.com/en-us/articles/setup-aws-iot-intel-edison-board https://software.intel.com/en-us/articles/setup-aws-iot-intel-edison-board

Best regards,

Laszlo

Carlos_M_Intel · ‎10-22-2015

Hi Laszlo,

This seems to be an error with obtaining the certification, take a look at: https://forums.aws.amazon.com/thread.jspa?messageID=454565 AWS Developer Forums: [Errno 1] _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICA

I suggest you to contact https://forums.aws.amazon.com/index.jspa AWS Developer Forums:Discussion Forums for a more appropriate response.

LBaba · ‎10-24-2015

Hi Charlie,

Just one more question. Why do I get this message right after starting the aws cli setup (pip install awscli)?:

InsecurePlatformWarning: A true SSLContext object is not available.

This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail.

For more information, see https://urllib3.readthedocs.org/en/latest/security.html# insecureplatformwarning https://urllib3.readthedocs.org/en/latest/security.html# insecureplatformwarning

Thanks and regards,

Laszlo

Carlos_M_Intel · ‎10-28-2015

Hi Laszlo,

The problem you are having seems to be an error while obtaining the certification from the server. We suggest you to contact the AWS support for more information about it.

Regards,

Charlie

LBaba · ‎11-05-2015

Hi Charlie,

I clarified the problem with the AWS support and it turned out that the version number of the mosquitto in the Edison image is lower than required by the AWS IoT service. It has to support wildcard TLS certificates. Mosquitto supports this starting from version 1.4.

Here is how I upgraded my mosquitto:

echo "src/gz i586 http://iotdk.intel.com/repos/1.5/iotdk/i586/ http://iotdk.intel.com/repos/1.5/iotdk/i586/" >> /etc/opkg/base-feeds.conf

opkg update

opkg install util-linux-dev

wget http://mosquitto.org/files/source/mosquitto-1.4.4.tar.gz http://mosquitto.org/files/source/mosquitto-1.4.4.tar.gz

tar xzf mosquitto-1.4.4

cd mosquitto-1.4.4

make

# Install

cp client/mosquitto_pub /usr/bin

cp client/mosquitto_sub /usr/bin

cp lib/libmosquitto.so.1 /usr/lib

cp src/mosquitto /usr/bin

Regards,

László

JLeGo · ‎03-03-2016

Thank you László - this worked!