• State Resolved
  • Locked Locked
  • Replies 4 replies
  • Subscribers 40 subscribers
  • Views 1398 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

CC3220: AWS IoT SDK Plugin - Error #-12 (NETWORK_SSL_READ_ERROR)

RTOS/CC3220SF-LAUNCHXL: Error(-12 ) Connecting to AWS IOT Core using Subscribe and Publish sample. Error in iot_tls_read function (recv() returned 0)

SIVANANTHAM M
Prodigy 60 points
Part Number: CC3220SF-LAUNCHXL
Other Parts Discussed in Thread: SHA-256, CC3220SF, UNIFLASH

Tool/software: TI-RTOS

Hello,

Recently i program the CC3220SF-LAUNCHXL with Subscribe_publish_sample program to connect to the AWS IOT Core. But i cannot able to connect the AWS IOT Server , the IOT AWS Server is not Sending ACK response.(iot_tls_read function  (recv() returned 0))

Versions Info

Simplink Version : simplelink_cc32xx_sdk_2_30_00_05

AWS IOT Plugin : aws_cc32xx_2_10_00_04
Service pack : sp_3.9.0.6_2.0.0.0_2.2.0.6.bin


Application fails in the aws_iot_mqtt_internal_wait_for_read() function and returns Error NETWORK_SSL_READ_ERROR.

File Name : aws_iot_mqtt_client_connect.c+424

/* send the connect packet */
rc = aws_iot_mqtt_internal_send_packet(pClient, len, &connect_timer);
if(SUCCESS != rc) {
FUNC_EXIT_RC(rc);
}

/* this will be a blocking call, wait for the CONNACK */

rc = aws_iot_mqtt_internal_wait_for_read(pClient, CONNACK, &connect_timer);

if(SUCCESS != rc) {

FUNC_EXIT_RC(rc);

}

NOTE : The Yellow highlighted function fails because the sub function recv() in iot_tls_read() return 0.

My Various Configuration are as Follows.

1. aws iot configuration

#define AWS_IOT_MQTT_HOST "xxxxxxxxxxxxxx-ats.iot.ap-south-1.amazonaws.com"

#define AWS_IOT_MQTT_PORT 8883

#define AWS_IOT_MQTT_CLIENT_ID "arn:aws:iot:ap-south-1:xxxxxxxxxxxx:thing/aws_iot"

#define AWS_IOT_MY_THING_NAME "aws_iot"

2. AWS policy in aws iot core server

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "*"
}
]
}

My Certificate files are formatted like this


I am Using ats endpoint in Mumbai Region. The Root CA Certificate is used is RSA 2048 Bit Key.

unsigned char root_ca_pem[] =
"-----BEGIN CERTIFICATE-----\r\n"
"MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF\r\n"

<>
"rqXRfboQnoZsG4q5WTP468SQvvG5\r\n"
"-----END CERTIFICATE-----";

As pe rthe following thread   https://e2e.ti.com/support/wireless-connectivity/wifi/f/968/t/735565#mce_temp_url#

I used both the endpoint for connection.But Still it is failing.

With ATS :  xxxxxxxxxxxxxx-ats.iot.ap-south-1.amazonaws.com

Without ATS : xxxxxxxxxxxxxx.iot.ap-south-1.amazonaws.com

I also have the correct time stamp.  Offsetted(added 19800) with the GMT to get the Local time.

do {
/* Get the time using the built in NTP server list: */
retval = SNTP_getTime(NULL, 0, &timeval, &ntpTimeStamp);
if (retval != 0) {
Display_printf(display, 0, 0,
"startSNTP: couldn't get time (%d), will retry in %d secs ...",
retval, NTP_POLL_TIME);
sleep(NTP_POLL_TIME);
Display_printf(display, 0, 0, "startSNTP: retrying ...");
}

/* Save the current (NTP Epoch based) time */
currentTimeNtp = (ntpTimeStamp >> 32) + 19800;                                          /* Offsetted the 5:30 hrs with respect to GMT*/

} while (retval < 0);

/*

Any help would be very Helpful

My Console Logs as Follows:

 

Starting the AWS IoT example application

startSNTP: Current time: Mon Dec 31 17:50:14 2018


CC32XX has connected to AP and acquired an IP address.

IP Address: 192.168.X.X

Flashing certificate file ...
Successfully wrote file /cert/ca.pem to flash

Flashing certificate file ...
Successfully wrote file /cert/cert.pem to flash

Flashing certificate file ...
Successfully wrote file /cert/key.pem to flash


AWS IoT SDK Version 3.0.1-

FUNC_ENTRY: aws_iot_mqtt_init L#210

FUNC_ENTRY: aws_iot_mqtt_set_connect_params L#139

FUNC_EXIT: aws_iot_mqtt_set_connect_params L#169 Return Code : 0

FUNC_EXIT: aws_iot_mqtt_init L#281 Return Code : 0

Connecting...


FUNC_ENTRY: aws_iot_mqtt_connect L#461

FUNC_ENTRY: aws_iot_mqtt_get_client_state L#63

FUNC_EXIT: aws_iot_mqtt_get_client_state L#68 Return Code : 1

FUNC_ENTRY: aws_iot_mqtt_set_client_state L#110

FUNC_ENTRY: aws_iot_mqtt_get_client_state L#63

FUNC_EXIT: aws_iot_mqtt_get_client_state L#68 Return Code : 1

FUNC_EXIT: aws_iot_mqtt_set_client_state L#135 Return Code : 0

FUNC_ENTRY: _aws_iot_mqtt_internal_connect L#391

FUNC_ENTRY: aws_iot_mqtt_set_connect_params L#139

FUNC_EXIT: aws_iot_mqtt_set_connect_params L#169 Return Code : 0

FUNC_ENTRY: _aws_iot_mqtt_serialize_connect L#161

FUNC_ENTRY: _aws_iot_get_connect_packet_length L#124

FUNC_EXIT: _aws_iot_get_connect_packet_length L#141 Return Code : 83

FUNC_ENTRY: aws_iot_mqtt_internal_init_header L#188

FUNC_EXIT: aws_iot_mqtt_internal_init_header L#264 Return Code : 0

FUNC_ENTRY: aws_iot_mqtt_internal_write_len_to_buffer L#59

FUNC_EXIT: aws_iot_mqtt_internal_write_len_to_buffer L#70 Return Code : 1

FUNC_EXIT: _aws_iot_mqtt_serialize_connect L#245 Return Code : 0

FUNC_ENTRY: aws_iot_mqtt_internal_send_packet L#272

FUNC_EXIT: aws_iot_mqtt_internal_send_packet L#315 Return Code : 0

FUNC_ENTRY: aws_iot_mqtt_internal_wait_for_read L#657

FUNC_EXIT: aws_iot_mqtt_internal_wait_for_read L#674 Return Code : -12

FUNC_EXIT: _aws_iot_mqtt_internal_connect L#426 Return Code : -12

FUNC_ENTRY: aws_iot_mqtt_set_client_state L#110

FUNC_ENTRY: aws_iot_mqtt_get_client_state L#63

FUNC_EXIT: aws_iot_mqtt_get_client_state L#68 Return Code : 2

FUNC_EXIT: aws_iot_mqtt_set_client_state L#135 Return Code : 0

FUNC_EXIT: aws_iot_mqtt_connect L#490 Return Code : -12

ERROR: runAWSClient L#108
Error(-12) connecting to XXXXXXXXXX-ats.iot.ap-south-1.amazonaws.com:8883


FUNC_ENTRY: aws_iot_mqtt_autoreconnect_set_status L#337

FUNC_EXIT: aws_iot_mqtt_autoreconnect_set_status L#342 Return Code : 0

Subscribing...


FUNC_ENTRY: aws_iot_mqtt_subscribe L#301

FUNC_ENTRY: aws_iot_mqtt_is_client_connected L#292

FUNC_EXIT: aws_iot_mqtt_is_client_connected L#323 Return Code : 0

FUNC_EXIT: aws_iot_mqtt_subscribe L#308 Return Code : -13

ERROR: runAWSClient L#126
Error subscribing (-13)


ERROR: runAWSClient L#178
An error occurred in the loop. Error code = -13

 

  • 0
    TI__Mastermind 40965 points
    Hi,

    Thank you for providing such complete debug info. It really helps eliminate common errors that typically prevent AWS connections from working.

    One thing that you can try is reducing the length of your client ID. The client ID is just an arbitrary string that you can set - it doesn't need to be the ARN of your thing. However, according to the MQTT spec it should only be maximum 23 characters long.
    Additionally, you need to ensure that you do not have any special characters in your client ID. According to the spec, MQTT client IDs can only be comprised of alphanumeric characters. See the client ID spec here for reference:
    docs.oasis-open.org/.../mqtt-v3.1.1-os.html

    Something else you can try is to setup a new thing in a different region, in case your error has to do with the AWS region you are using. From my testing, US east 2 (Ohio) works well. Try that and see if it helps.

    Let me know if that doesn't fix things and we can try other debug steps.

    Regards,
    Michael
  • 0 in reply to Michael Reymond
    Prodigy 60 points

    Hi  Michael ,

                     Thanks for your Quick response.

                     As per your suggestions , i tried the followings 

                    1. Changed the MQTT Client ID as Alphaneumeric .

    #define AWS_IOT_MQTT_HOST "a2ghcv2zwudtu-ats.iot.us-east-2.amazonaws.com" 
    #define AWS_IOT_MQTT_PORT 8883 
    #define AWS_IOT_MQTT_CLIENT_ID "arn1" 
    #define AWS_IOT_MY_THING_NAME "iotUSEast" 

    Conclusion : Still Not working.

                   2. I Created the thing  and tried the subscribe_publish_example  in US east 2(Ohio)  Region 

                               Conclusion : Still Not working.

                   

                  Experiments Subscribe_publish_sample in Ubuntu Operating System.

                  

                                I have tried experimentation in Ubuntu Operating System using AWS IOT SDK.

                                SDK Path : https://github.com/aws/aws-iot-device-sdk-embedded-C/tree/master/samples/linux/subscribe_publish_sample#mce_temp_url#

                                Subscribe_publish_example is working well  in both  US-East-2(Ohio) and  ap-south-1(Mumbai) .

                               The Following are the working Logs  from Ubuntu Terminal

    ubuntu@ubuntu:~/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample$ ./subscribe_publish_sample

    AWS IoT SDK Version 3.0.1-

    DEBUG: iot_tls_connect L#138 . Loading the CA root certificate ...
    DEBUG: iot_tls_connect L#144 ok (0 skipped)

    DEBUG: iot_tls_connect L#146 . Loading the client cert. and key...
    DEBUG: iot_tls_connect L#159 ok

    DEBUG: iot_tls_connect L#161 . Connecting to xxxxxxxxxxxxx-ats.iot.ap-south-1.amazonaws.com/8883...
    DEBUG: iot_tls_connect L#180 ok

    DEBUG: iot_tls_connect L#182 . Setting up the SSL/TLS structure...
    DEBUG: iot_tls_connect L#223

    SSL state connect : 0
    DEBUG: iot_tls_connect L#226 ok

    DEBUG: iot_tls_connect L#228

    SSL state connect : 0
    DEBUG: iot_tls_connect L#229 . Performing the SSL/TLS handshake...
    DEBUG: _iot_tls_verify_cert L#49
    Verify requested for (Depth 2):

    DEBUG: _iot_tls_verify_cert L#51 cert. version : 3
    serial number : XX:XX:XX:XX:XX::BF:8C:0A:39:E2:F0:78:8A:43:E6:96:36:5B:CA
    issuer name : C=US, O=Amazon, CN=Amazon Root CA 1
    subject name : C=US, O=Amazon, CN=Amazon Root CA 1
    issued on : 2015-05-26 00:00:00
    expires on : 2038-01-17 00:00:00
    signed using : RSA with SHA-256
    RSA key size : 2048 bits
    basic constraints : CA=true
    key usage : Digital Signature, Key Cert Sign, CRL Sign

    DEBUG: _iot_tls_verify_cert L#54 This certificate has no flags

    DEBUG: _iot_tls_verify_cert L#49
    Verify requested for (Depth 1):

    DEBUG: _iot_tls_verify_cert L#51 cert. version : 3
    serial number : XX:XX:XX:XX:XX:87:E8:AC:77:DE:B2:53:32:5B:BC:99:8B:56:0D
    issuer name : C=US, O=Amazon, CN=Amazon Root CA 1
    subject name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon
    issued on : 2015-10-22 00:00:00
    expires on : 2025-10-19 00:00:00
    signed using : RSA with SHA-256
    RSA key size : 2048 bits
    basic constraints : CA=true, max_pathlen=0
    key usage : Digital Signature, Key Cert Sign, CRL Sign

    DEBUG: _iot_tls_verify_cert L#54 This certificate has no flags

    DEBUG: _iot_tls_verify_cert L#49
    Verify requested for (Depth 0):

    DEBUG: _iot_tls_verify_cert L#51 cert. version : 3
    serial number : XX:XX:XX:XX:XX::69:89:F5:6C:96:A4:B4:D9:85:10:17
    issuer name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon
    subject name : CN=*.iot.ap-south-1.amazonaws.com
    issued on : 2018-05-04 00:00:00
    expires on : 2019-05-04 12:00:00
    signed using : RSA with SHA-256
    RSA key size : 2048 bits
    basic constraints : CA=false
    subject alt name : iot.ap-south-1.amazonaws.com, *.iot.ap-south-1.amazonaws.com
    key usage : Digital Signature, Key Encipherment
    ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

    DEBUG: _iot_tls_verify_cert L#54 This certificate has no flags

    DEBUG: iot_tls_connect L#246 ok
    [ Protocol is TLSv1.2 ]
    [ Ciphersuite is TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 ]

    DEBUG: iot_tls_connect L#248 [ Record expansion is 29 ]

    DEBUG: iot_tls_connect L#253 . Verifying peer X.509 certificate...
    DEBUG: iot_tls_connect L#262 ok

    DEBUG: iot_tls_connect L#272 . Peer certificate information ...

    DEBUG: iot_tls_connect L#274 cert. version : 3
    serial number : XX:XX:XX:XX:XX::69:89:F5:6C:96:A4:B4:D9:85:10:17
    issuer name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon
    subject name : CN=*.iot.ap-south-1.amazonaws.com
    issued on : 2018-05-04 00:00:00
    expires on : 2019-05-04 12:00:00
    signed using : RSA with SHA-256
    RSA key size : 2048 bits
    basic constraints : CA=false
    subject alt name : iot.ap-south-1.amazonaws.com, *.iot.ap-south-1.amazonaws.com
    key usage : Digital Signature, Key Encipherment
    ext key usage : TLS Web Server Authentication, TLS Web Client Authentication


    Subscribing...
    -->sleep
    Subscribe callback
    sdkTest/sub hello from SDK QOS0 : 0
    Subscribe callback
    sdkTest/sub hello from SDK QOS1 : 1
    -->sleep

                               

                  The Difference between the Two (AWS IOT SDK example , AWS Plugin by TI example) Subscribe_and_publish Example is 

                               1. Subscribe_publish_example ( From aws ti plugin) 

                                              http://dev.ti.com/tirex/#/?link=Software%2FSimpleLink%20SDK%20Plugins%2FSimpleLink%20CC32XX%20SDK%20AWS%20IoT%20Plugin%2FExamples%2FDevelopment%20Tools%2FCC3220SF-LAUNCHXL%2Faws%2Fsubscribe_publish_sample%2FTI-RTOS%2FCCS%20Compiler%2Fsubscribe_publish_sample

                                                i. Certificates should be loaded using array. ( i have added "\r\n" in end of the each line in certificates. Tried the certificate loading  many  times, still not working)

                                               ii. HAL Library  (Service pack )

                              2.  Subscribe_publish_example ( AWS IOT SDK for C)

                                              https://github.com/aws/aws-iot-device-sdk-embedded-C/tree/master/samples/linux/subscribe_publish_sample

    i. Cerificates are loaded as file in sunscribe_publish_example  provided by AWS IOT SDK.   

                  https://github.com/aws/aws-iot-device-sdk-embedded-C/tree/master/certs

    ii. HAL Library ( TCP/IP Stack in Ubuntu machine)

                           

      As a conclusion whatever i observed ,

                  certificate loading method and HAL layer is  the difference  between these working and not working sample of the Subscribe_publish_sample.

    Is there any configuration , i need to do  while loading the image in the CC3220sf using Uniflash with respect to Service pack ??.

    Any debugging steps will be very helpful.

    Regards,

    Sivanantham M

  • 0 in reply to SIVANANTHAM M
    TI__Mastermind 40965 points
    Hi,

    When you changed the client ID, did you still encounter error -12 or are you encountering a different error now?
    Also, what root CA are you providing in certs.h? On my working setup, I am using the Verisign Class 3 Public Primary G5 root CA along with the non-ATS endpoint.

    Regards,
    Michael
  • 0 in reply to Michael Reymond
    Prodigy 60 points

    Hi Michael ,

                     Subscribe_publish_example is working Fine  with  Verisign Class 3 Public Primary G5 root CA  Certificate.(non-ATS Endpoint).

                     Working Case : 

                                  Certificate :   Verisign Class 3 Public Primary G5 root CA           

                                                       https://docs.aws.amazon.com/iot/latest/developerguide/managing-device-certs.html   

                                  Region     :  US East (Ohio)

                                 End point : xxxxxxxxxxx.iot.us-east-2.amazonaws.com

                    Not Working Case :

                                  Certificate :   Amazon Root CA 1

                                  Region     :  US East (Ohio)

                                 End point : xxxxxxxxxxx-ats.iot.us-east-2.amazonaws.com

                     As a Conclusion :

                                      Subscribe_publish_example is working Fine in Non-ATS Endpoints.

                     In Asia-Pacific Region ( Mumbai ) ,  ATS Endpoint is the Only available Endpoint.

                     https://aws.amazon.com/blogs/iot/aws-iot-core-ats-endpoints/

     

                    

                   Thank You Michael for your help to debug the issue.