• State Resolved
  • Locked Locked
  • Replies 4 replies
  • Subscribers 40 subscribers
  • Views 633 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CCS/CC3235SF: AWS IoT Plugin: network disconnect when MQTT client attempts connect

Richard Elberger
Intellectual 690 points
Part Number: CC3235SF

Tool/software: Code Composer Studio

Hello,

I am using AWS IoT Plugin and receiving the following problem.

Starting the AWS IoT example application

startSNTP: Current time: Mon Apr  8 12:35:02 2019


CC32XX has connected to AP and acquired an IP address.

IP Address: 192.168.29.138


AWS IoT SDK Version 3.0.1-



Connecting...


ERROR: runAWSClient L#108
Error(-7) connecting to audqth7zumq6e-ats.iot.us-east-1.amazonaws.com:8883


Subscribing...


ERROR: runAWSClient L#126
Error subscribing (-13)


ERROR: runAWSClient L#178
An error occurred in the loop. Error code = -13

I narrowed the culprit to the following - aws_iot_mqtt_client_connect.c, ln 477.  Although the error is -7 in the UART output, rc is 0xD7.

My first thinking was IoT policy since I had good constraints (and thought perhaps connect constraint was causing the problem) but after making the policy have no constraints.

  • 0
    Intellectual 690 points
    Also, should point out I am using ATS endpoint and have configured the ATS CA into certs.h
  • 0
    Intellectual 690 points
    Also, same CA+CRT+KEY+ClientId using python SDK works fine.
  • 0 in reply to Richard Elberger
    TI__Mastermind 40965 points

    Hi Richard,

    There are two causes at work here which are making the CC3235 + ATS certs have issues.

    First, with the new ATS endpoints the AWS server cert is signed by a cert chain containing the Amazon Root CA cert. However, the Amazon Root CA certs provided as part of the server hello appear to be signed by a Starfield cert chain, culminating with the Starfield Class 2 Certificate Authority cert. As such, the CC32xx devices will expect to see that Starfield cert passed to the NWP during the TLS connect handshake. Thus, you should be providing the Starfield Class 2 Certificate Authority certificate as the root CA cert when connecting to ATS-secured services and endpoints.

    The second thing is that there is currently a bug with the CC3235 where the Starfield Class 2 Certificate Authority causes a TLS error due to an ECC curve error, making it impossible to connect to an ATS endpoint with the CC3235. This is an issue that is being investigated and debugged at the moment.

    The aforementioned issue does not effect the CC3220, so I suggest using the CC3220 and testing the AWS IoT example with the Starfield cert and seeing if that works.

    Let me know if you need more clarification on why the Starfield cert is needed, or if you have any further questions on using the AWS IoT plugin.

    Regards,
    Michael

  • 0 in reply to Michael Reymond
    Intellectual 690 points
    Thank you, I will need to wait for a fix to the NWP firmware.