-
Notifications
You must be signed in to change notification settings - Fork 457
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to connect MxChip DevKit as leaf device to IoT Edge #871
Comments
This is a known issue that @ArthurMa1978 from devkit team is looking into. |
@veyalla, from devkit side, the issue is coming from the TLS handshake step when client want to verify the cert list from server side (IoT Edge) because the cert list is not ordered which not follow TLS v1.2.
The TLS 1.3 have the flexibility to support arbitrary orderings, but unfortunately mbedtls only support TLS v1.2. |
This is for both MQTT and AMQP? |
@myagley I have only tested with MQTT. Best I can tell, the MxChip DevKit-SDK port only supports MQTT. |
Yes, only MQTT.
|
I just ran |
@myagley |
After talking to the dotnet team, it appears like it is an issue in the dotnet core runtime on linux. I'll keep this issue updated when we know more about a fix. |
Before dotnet core fix the order issue, not sure if IoT Edge can short the number of server cert return to client during the handshake? |
To un-block this case quickly, I have sent a PR #2491 to mbedtls that can sort the cert chain before verify. |
Thanks @ArthurMa1978 |
A release candidate for 1.0.8 was just released. You can try it out using the 1.0.8-rc1 tag on your images. Packages for the daemon are located here: https://github.com/Azure/azure-iotedge/releases/tag/1.0.8-rc1 |
ok, I'll try it when I get a chance (probably next week) |
Just a note here that this scenario already works now even with 1.07 as long as you use the latest MxChip firmware, because a mitigation has been submitted. So in order to truly verify the bug is fixed correctly in the runtime you will need to use a device/firmware that still exposes the bug (e.g. an older MxChip firmware) |
I have one :-) thx for the heads up... |
Thanks for the heads up @wickste! |
FYI - Sorry for the delays. I won't bore you with excuses.. I just tried this with my MXChip and Edge 1.0.7.1 and @ArthurMa1978 's excellent example at https://github.com/IoTDevEnvExamples/DevKit2IoTEdge and it worked fine. MXChip was able to connect over MQTTS to my IoT Edge box and start sending data.. interestingly, I notice that the "depth" part of the iot edge cert dump (from openssl connect command is in order), but the 'certificate' chain isn't.. I assume it's the first part that counts from a TLS perspective? stevebus@sdbubuntu2:~$ openssl s_client -connect sdbubuntu2.centralus.cloudapp.azure.com:8883
|
I updated my hub to 1.0.8 and tried to validate it against the MXChip board version 1.5.1 (does not contain the mbedtls workaround). This issue still repros for me. |
@ArthurMa1978 how did we figure out that this was due to certificate ordering issues to begin with? Is it possible to run the same command/test with our 1.0.8 version to see if it has changed? |
@myagley look above, he used |
This is my cert chain. Does this look correct?
|
yes, that chain looks correct... as I mentioned earlier above, the odd thing was that one of the lists (the top one) was in the correct order, but the bottom one in the openssl command, which is labeled certificate chain, was not).. I just re-tested with a fresh 1.0.8 box, and both lists are now in the correct order (see output below), so I assume that something changed between 1.0.7.1 and 1.0.8. The only MXChip test I've done lately was based on ArturMa's sample referenced above (which I assume has the MBED fix in it), so I can't say if it works without the fix. (primarily because I can't get the iot-central-firmware MXChip sample to build any more) CONNECTED(00000003)
|
Yes, we picked up a newer version of the dotnet runtime which has the fix for the cert ordering issue in 1.0.8. Note, that using an IP address for the hostname is unlikely to work properly. This will not validate properly during TLS. You will need to use a real hostname for the device and make sure that the mxchip can resolve the hostname to ip address properly. |
actually, using IP address works fine, as long as you also use the IP address in the hostname parameter in config.yaml. Edge will generate the edge TLS cert with the IP address as the CN and the cert verification works fine.. at least for every client I've tried so far with it (including the MXChip, which is the first place I tried it because i didn't have access to a DNS server :-) ) |
FYI: IP address cert is working fine for me. Trying to repro the issue on 1.0.7 and 1.0.6, but it looks like the edge container picks up the current version of the dotnet runtime so the cert order are correct for these version now. With version 1.6.2 and higher of the MXChip, everything is working correctly. |
Interesting about the IP address. I didn't realize that would work. IoT Edge bundles the runtime inside the container so it;s not possible to pick it up from anywhere. The only version with the fixed version of the dotnet runtime is 1.0.8. |
This issue is being marked as stale because it has been open for 30 days with no activity. |
Closing this issue as was fixed in 1.0.8. Please re-open as needed. |
Configuring an MxChip devkit device as leaf device for IoT Edge I am unable to make a successful connection. I am following this guide: https://docs.microsoft.com/en-us/azure/iot-edge/how-to-connect-downstream-device#use-certificates-with-azure-iot-sdks
As a datapoint, after making the (undesirable) firmware change to disable verification in mbedtls, the connection works successfully:
mbedtls_ssl_conf_authmode(&tls_io_instance->config, MBEDTLS_SSL_VERIFY_NONE);
Expected Behavior
Device should connect as leaf deviceto IoT Edge. I have been successful with the same steps using Windows (using .NET SDK) and Ubuntu 18.04 (using C SDK as well as .NET SDK) as leaf devices.
Current Behavior
Device attempts to connect to the Edge gateway, but it appears the TLS handshake is failing.
Steps to Reproduce
Result: device attempts to connect to the gateway, but the TLS handshake fails
Context (Environment)
MxChip devkit with "Ubuntu Server 16.04 LTS + Azure IoT Edge runtime" VM in Azure
Device (Host) Operating System
Ubuntu 16.04 LTS
Architecture
amd64
Container Operating System
Linux
Runtime Versions
iotedged
iotedge 1.0.6.1
Edge Agent
1.0
Edge Hub
1.0
Docker
3.0.3, build 48bd4c6d
Logs
from iotedge logs edgeHub -f:
Additional Information
The text was updated successfully, but these errors were encountered: