用于 TI CC3200 的带有 TLS 的 MQTT 因“Bad CA 文件”错误而失败

物联网 MQTT aws-iot tls ti-cc3200
2021-06-21 08:25:16

这个话题似乎无处不在,但没有关于如何让 CC3200 运行 MQTT-TLS 的结论。所以,这里还有一个。

目标

通过 TLS 将 TI CC3200 板连接到 AWS IoT 代理。

脚步

获取证书

为了使用 AWS IoT 获取 TLS 的密钥和证书,我使用了 AWS CLI,如下所示:

aws iot create-keys-and-certificate --set-as-active --certificate-pem-outfile cert.crt --private-key-outfile private.key --public-key-outfile public.key --region us-east-1

根 CA 下载如下:

wget https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem -O rootCA.pem

更改格式

基于TI wiki,开发板要求这些文件为 DER 格式。因此,我openssl在 AWS EC2 实例上使用来转换证书,如下所示。链接有助于获得命令。

openssl rsa -inform pem -in private.key -outform der -out private.der
openssl x509 -in cert.crt -outform der -out cert.der
openssl x509 -in rootCA.pem -outform der -out rootCA.der

刷入证书

这些.der文件需要重命名为<someId>.derwhere<someId>将作为结构的输入提供。请参阅此处的讨论。因此,完成了以下重命名:

  • private.der126.der
  • cert.der127.der
  • rootCA.der128.der

所有.der文件都在/cert/板上的位置闪烁

MQTT TLS

在 Paho Embedded-C 项目中,TI CC3200 模块的源代码可用。此模块将用于与此方法建立 TLS 连接,int TLSConnectNetwork(Network *n, char* addr, int port, SlSockSecureFiles_t* certificates, unsigned char sec_method, unsigned int cipher, char server_verify)其中,SlSockSecureFiles_t是 TLS 感兴趣的参数。此参数在socket.hTI 中定义_u8. (我可以在文档的压缩文件中在本地看到这一点。)

typedef struct sock_secureFiles
 {
     _u8                     secureFiles[4];
 } SlSockSecureFiles_t;

阵列的创建如下所示。

SlSockSecureFiles_t secure_file;
secure_file.secureFiles[0] = 126;
secure_file.secureFiles[1] = 127;
secure_file.secureFiles[2] = 128;
secure_file.secureFiles[3] = 0;

数字是文件/cert文件的ID

的其他参数TLSNetworkConnect()设置如下:

  • SL_SO_SEC_METHOD_TLSV1_2 用于 TLS v1.2 的安全方法。
  • SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 对于密码套件。
  • 0 为了 server_verify

结果

TLS 连接不会发生。

错误

与代理的连接不断失败,错误代码为Bad CA file

SSL会话

我尝试openssl.der文件进行会话,连接似乎正常。

openssl s_client -connect xxxx.iot.us-east-1.amazonaws.com:8883 -CAfile rootCA.pem -key private.der -keyform der -cert cert.der -certform DER
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = *.iot.us-east-1.amazonaws.com
verify return:1
140493918627480:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1487:SSL alert number 42
140493918627480:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.us-east-1.amazonaws.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGGjCCBQKgAwIBAgIQLnQIWjfERfw1k/3WWKINNTANBgkqhkiG9w0BAQsFADB+
.......
05vnq6DeWRLXoQYZoJm9ysbfVsRx9QB3YRy0C79Cie5bvmO7ib2sQ0OdfB42eg+v
I9KM/MH7QgMiCeHVBnoxdysrLBF9cyGt3MJHwzVi
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.us-east-1.amazonaws.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3387 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5B23B08B6883D21....62AD324D2DD
    Session-ID-ctx: 
    Master-Key: F5EBEA2F775C5E6....A79E48373756C75207B0D
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1529065611
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇Iphone 4 / IOS 7.1.2 上的 Alexa 应用程序 - 找不到“alexa”按钮 下一篇通过 6LoWPAN 将温度传感器的数据发送到 Kaa-IoT 平台