Comments (8)
You are expected to set up your own Echo Server as mentioned in the Appendix J: TLS Server Setup section of this document: https://github.com/aws/amazon-freertos/blob/master/tests/Amazon%20FreeRTOS%20Qualification%20Program%20Developer%20Guide.pdf
Thanks.
from amazon-freertos.
@aggarg , I also tried to set up local TLS server with self-signed certificate based on Appendix J but Wireshark packet log showed stop after "Client key Exchange".
Is there any suggestion of local TLS server setting or device config file ?
Default TLS server 34.218.25.197
log showed the scenario is OK except unknown CA:
from amazon-freertos.
@aggarg , After enable TLS debug, log showed the failure at "mbedtls_pk_sign() returned 6
".
Traced the source code, rsa_prepare_blinding()
failed in private key signing.
However, in this client key exchange, the private key should be generated by random, it's "premaster secret
". In device viewpoint, just needs to prepare correct HOST-ROOT certificate.
Is there any misunderstanding ?
from amazon-freertos.
@cyliangtw hello, it looks like the Appendix J text that @aggarg referenced above could benefit from some improvement. In the meantime, here's a modified version of that section that attempts to be more clear about server certificate configuration versus client certificate configuration (since both are required in order for the tests to work):
Appendix J: TLS Server Setup
A simple TLS echo server is provided with Amazon FreeRTOS code. It is located in $AFR_HOME/tests/common/utils/tls_echo_server.go. Instructions:
-
Install the latest version of GO on your server host: https://golang.org/dl/
-
Install openssl on your server host: a. Linux --- https://www.openssl.org/source/ b. Windows --- https://slproweb.com/products/Win32OpenSSL.html
-
Copy tls_echo_server.go to a directory you choose.
-
Generate a TLS server self-signed certificate and private key. See $AFR_HOME/tests/common/utils/readme-gencert.txt for the openssl commands to generate a self-signed server certificate and private key.
-
Copy the server certificate and private key .pem files into a subdirectory called “certs”. The “certs” directory should be a subdirectory of the directory where the server code will run.
-
Start the TLS server by running: go run tls_echo_server.go
-
The server will listen on port 9000. The IP address and the port must be set in $AFR_HOME/tests/common/tests/common/include/aws_test_tcp.h. For example if your server’s IP address is 192.168.2.6, set the following macros:
Macro definition for TLS server Example value if address is 192.168.0.200 tcptestECHO_SERVER_TLS_ADDR0 192 tcptestECHO_SERVER_TLS_ADDR1 168 tcptestECHO_SERVER_TLS_ADDR2 2 tcptestECHO_SERVER_TLS_ADDR3 6 tcptestECHO_PORT_TLS ( 9000 )
-
The tests will check the server certificate. In $AFR_HOME/tests/common/tests/common/include/aws_test_tcp.h, set tcptestECHO_HOST_ROOT_CA to your formatted server certificate. You can use the formatting tool to format your server certificate.
-
The AFQP secure sockets tests require TLS mutual authentication to be configured. The readme-gencert.txt file also describes how to generate a client certificate and private key that is signed by the server key. This will allow the custom echo server to trust the client certificate presented by your device during TLS authentication. The client certificate and private key must be PEM formatted and copied into aws_clientcredential_keys.h before building and running the test project on the device.
from amazon-freertos.
@dcgaws , thanks of your improvement of the guide, I missed the 9th step in the previous test.
I don't know which one client private key & certificate of aws_clientcredential_keys.h should be replaced by the generated client private key & certificate signed with tcptestECHO_HOST local server key.
So, I just tried to replace all of clientcredentialCLIENT_xxx
, tlstestCLIENT_xxx
, tlstestCLIENT_UNTRUSTED_xxx
& tlstestCLIENT_BYOC_xxx
in aws_clientcredential_keys.h.
However, it still failed in "mbedtls_pk_sign() returned 6"
.
from amazon-freertos.
@dcgaws, after enlarge configTOTAL_HEAP_SIZE, it could pass SSL handshake without the 9th step.
Is 9th step mandatory ?
If it's, to copy the generated client certificate into which one in aws_clientcredential_keys.h ?
from amazon-freertos.
After further checking it turns out that we do not need client certificate and private key for the Go Lang echo server. Thank you for bringing it to our attention. We will update our instructions.
Regarding the heap size, using Malloc Failed Hook Function as described on the following page may have been helpful in debugging: https://www.freertos.org/a00016.html
from amazon-freertos.
@aggarg , thanks of your clarification & suggestion.
from amazon-freertos.
Related Issues (20)
- [BUG] `CORE_MQTT_MUTUAL_AUTH` Demo: Failed to establish new connection HOT 5
- [BUG] pPublishInfo->payloadLength changes after call to sendPacket HOT 6
- [BUG] MbedTLS version not reflected within git modules. HOT 2
- [BUG] Array bound warning observed in iot_test_tcp.c HOT 2
- [General] Where is esp_hw_support component ? HOT 1
- [Feature Request] Allow to define custom 'help' command in freertos-cli HOT 2
- nvs_flash_init() panics HOT 1
- [BUG] Lacking a check for the return value of mbedtls_ssl_conf_own_cert() HOT 1
- [Feature Request] Update submodule "vendors/espressif/esp-idf" to release/v4.4 of esp-afr-sdk HOT 2
- [General] Unable to access esp-idf ble_wifi_provisioning component HOT 9
- [General] Cannot use Bluedroid, NVS crashes/panics HOT 15
- [General] BLE service to leverage IOT BLE data transfer service HOT 1
- ESP32 compiled binary shows absolute file path when walked through using binwalk HOT 6
- [General] STM32L4 discovary board AWS IoT Tera Term Error HOT 5
- [BUG] ESP32 Port SPI Error with S3 HOT 2
- [BUG] Trace output of ESP32-DevKitC jobs demo is clobbered HOT 2
- [General] Ethernet AWS MQTT DNS Network Error HOT 4
- [General] Is there a reason, why there is almost two months no merge in main? HOT 5
- [General] ESP32S3 OTA fails due to not multiple of 16 bytes
- [General] esp_ota_begin fails in simple example HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from amazon-freertos.