I am developing a AWS IoT MQTT client on STM32H723 using FreeRTOS 10.3.1, LwIP 2.1.2 and MbedTLS 2.28.4. Through debugging and looking at Wireshark captures, it appears that this client is successfully completing the TLS handshake:
Time,Source,Destination,Protocol,Length,Info
0,10.0.0.11,54.156.47.148,TLSv1.2,336,Client Hello
0.016360719,54.156.47.148,10.0.0.11,TLSv1.2,150,Server Hello
0.001577507,54.156.47.148,10.0.0.11,TLSv1.2,685,Certificate
0.00001705,54.156.47.148,10.0.0.11,TLSv1.2,438,"Server Key Exchange, Certificate Request, Server Hello Done"
2.518046294,10.0.0.11,54.156.47.148,TLSv1.2,1329,"Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message"
0.015707564,54.156.47.148,10.0.0.11,TLSv1.2,60,Change Cipher Spec
0.000007277,54.156.47.148,10.0.0.11,TLSv1.2,99,Encrypted Handshake Message
... and then when it attempts to connect ...
0.001473909,10.0.0.11,54.156.47.148,TLSv1.2,193,Application Data
0.022366332,54.156.47.148,10.0.0.11,TLSv1.2,85,Encrypted Alert
... the IoT broker issues an encrypted alert which I believe to be a TLS close_notify, because it is followed by a TCP FIN shortly afterwards. I've confirmed in the debugger that the penultimate "Application Data" packet is in fact the MQTT connect.
I've been through all the AWS troubleshooting guides and my certificates are all good and I have my policy sent to:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:", "Resource": "" } ] }
Such that I can connect and publish to it with mosquitto_pub using any random client ID and topic. Furthermore this client can connect to a local mosquitto broker that I have set up and the decrypted disection of the Wireshark capture of the success MQTT connect looks to be in order:
MQ Telemetry Transport Protocol, Connect Command
Header Flags: 0x10, Message Type: Connect Command
0001 .... = Message Type: Connect Command (1)
.... 0000 = Reserved: 0
Msg Len: 108
Protocol Name Length: 4
Protocol Name: MQTT
Version: MQTT v3.1.1 (4)
Connect Flags: 0x06, QoS Level: At most once delivery (Fire and Forget), Will Flag, Clean Session Flag
0... .... = User Name Flag: Not set
.0.. .... = Password Flag: Not set
..0. .... = Will Retain: Not set
...0 0... = QoS Level: At most once delivery (Fire and Forget) (0)
.... .1.. = Will Flag: Set
.... ..1. = Clean Session Flag: Set
.... ...0 = (Reserved): Not set
Keep Alive: 30
Client ID Length: 23
Client ID: XXXXXX-XXX_XXXXXXXXX_XX
Will Topic Length: 41
Will Topic: XXXXXXX/XXXX/NDEATH/XXXXXXXXXXX_XXXXX_XX/
Will Message Length: 28
Will Message: …
I'm kinda stuck at this point but my two questions are:
I have logging set to Debug (maximum verbosity) but I don't see any of my unsuccessful connections in my logs. I'm told that the logs only get generated after a connect has taken place. Is there any other way to get any visibility into why the IoT broker is rejecting my connections?
Are there any known issues with the stack (see above) I am using that could be causing this strange behavior?