Friday, October 14, 2016

AWS MQTT on OSX

Leave a Comment

In the OSX app here, I can use AWS MQTT with iOS9, but when I try the same with OSX10.11, I get this error:

CFNetwork SSLHandshake failed (-9829)

Error -9828 is defined as

errSSLPeerCertUnknown = -9829, /* unknown certificate */

My OSX info.plist is

<key>NSAppTransportSecurity</key>     <dict>             <key>NSAllowsArbitraryLoads</key>             <true/>             <key>NSExceptionDomains</key>             <dict>                     <key>amazonaws.com</key>                     <dict>                             <key>NSExceptionRequiresForwardSecrecy</key>                             <false/>                             <key>NSExceptionAllowsInsecureHTTPLoads</key>                             <true/>                             <key>NSThirdPartyExceptionMinimumTLSVersion</key>                             <string>TLSv1.0</string>                             <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>                             <false/>                             <key>NSIncludesSubdomains</key>                             <true/>                     </dict>                     <key>amazonaws.com.cn</key>                     <dict>                             <key>NSExceptionRequiresForwardSecrecy</key>                             <false/>                             <key>NSExceptionAllowsInsecureHTTPLoads</key>                             <true/>                             <key>NSThirdPartyExceptionMinimumTLSVersion</key>                             <string>TLSv1.0</string>                             <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>                             <false/>                             <key>NSIncludesSubdomains</key>                             <true/>                     </dict>             </dict>     </dict> 

The p12 (from "openssl pkcs12 -info -in awsiot-identity.p12") is:

MAC Iteration 2048 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes     localKeyID: 5F 80 DC 6E AB F1 98 6A AA FC 0B 7B 04 F9 0E 66 99 E9 86 4F  subject=/CN=AWS IoT Certificate issuer=/OU=Amazon Web Services O=Amazon.com Inc. L=Seattle ST=Washington C=US -----BEGIN CERTIFICATE----- MIIDWTCCAkGgAwIBAgIUJQgfGjmoboOQ7eJo+NTRs5wr8KMwDQYJKoZIhvcNAQEL BQAwTTFLMEkGA1UECwxCQW1hem9uIFdlYiBTZXJ2aWNlcyBPPUFtYXpvbi5jb20g SW5jLiBMPVNlYXR0bGUgU1Q9V2FzaGluZ3RvbiBDPVVTMB4XDTE2MDcyNTA2NDU0 NloXDTQ5MTIzMTIzNTk1OVowHjEcMBoGA1UEAwwTQVdTIElvVCBDZXJ0aWZpY2F0 ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK57RCK3ppDk22TPA+97 2coZeo36lJpZ9M/0l6xHyeQiiVZMKGrkP3S+ej4Dgd+q4gviB2g5dc9T6jMwRSA8 qkdadxspSmEtCCwdFY3poVOpsD7Z0s3lVwBSgTiztfQo15yTyIjhkS0gS9tBg1sI xIJoYuxXEHkoJKHum8yaluL71jYLxdmp5YHGVHZ55ussZUrWuE4ut4EbHJ8+Ef+z caJtJB6YMEeKpKMvZ0vrb+jHytD6s7K20SnfTvEHsXNwWIfwXsxmqkG9KHT7q9Dd XlaeKiP0tWE/8ObOPk1W7xT9HTAvkrveJIEFYhMcfi0yTtxm9CyEG0p36yor2HAK T/UCAwEAAaNgMF4wHwYDVR0jBBgwFoAU8Kei7lBQZkzRV3if5sWxgF9WtM8wHQYD VR0OBBYEFM7oRgS5iXeFPcI4pzY/0BQCCE3mMAwGA1UdEwEB/wQCMAAwDgYDVR0P AQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQBDzKiP+Gldz4RUe0QyMcYDWS0V /3PeJTRjoD7IxUOO9czCZoCX46dxJkP1ijzuuqneaEPK7OUQxoHepqPdlbsycXv3 i/Ty649c/d2dizYqO2iM+6M+xdDLYPBmEAD4aQ9Qj8TpnC5OCSdqGq9XCFLTnz4j icx2lYS3COdfZbKs9KQG7dkPK7CWSjHHy21Ftz0zBx7wj5v+2lNbcHCFmYn9+lYg Jw1zUR/rGqTcQZHGUvgv3Mfp8xWtHDFhYAKnwGbhIxCanOM6An+yzEwLUEvkQ81Q Lzv/yReCVHO4M0+JTW4Fu6BWEaTThPzdN3kQbIzJsViIL9Q6dfAXlvepkHr4 -----END CERTIFICATE----- PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 Bag Attributes     localKeyID: 5F 80 DC 6E AB F1 98 6A AA FC 0B 7B 04 F9 0E 66 99 E9 86 4F  Key Attributes: <No Attributes> 

Why does OSX fail but iOS succeed?

2 Answers

Answers 1

It is failing because of an SSL handshake issue. It is detecting an invalid certificate.

A similar issue was reported and resolved here, referencing the same error code. That issue was traced to an identity mismatch, due to multiple identities in the p12 file.

In that case, there were two certificates in the p12 files, but the code was only reading the first one.

I suggest dumping the contents of the .p12 file, and confirming the certificates(s). Post them here to review.

Answers 2

you missing signing CA on your OS X for the certificate, depends on how your created your certificate, you need to import the CA into your keychain. refer here

If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment