Regression: 1.1.1 fails to connect to AWS IOT over TLS; works with 1.1.0

[Typhlosaurus]

• [Yes ] Bug exists Release Version 1.1.1 ( Master Branch)
• [ Yes] Bug exists in Snapshot Version
  Version 1.1.2-SNAPSHOT (Develop Branch) (currently identical to 1.1.1)

MQTT newby here...

Using the amazon sdk to communicate with the AWS IoT server using MQTT over TLS in eu-west-1 has started to fails since 1.1.1 of paho.mqhtt.java was released. When attempting to connect a 403 is reported (actually reported as a "WebSocket Response header: Incorrect connection header" in org.eclipse.paho.client.mqttv3.internal.websocket.WebSocketHandshake due to the missing connection header rather than the status code).

Switching back to mqttv3 1.1.0 restores the ability to connect.

AWS SDK version: com.amazonaws:aws-iot-device-sdk-java:1.1.0

I'm afraid someone else is going to have to help with any tracing details - if they're needed could someone tell me how to enable them.

If this is a known/suspected AWS IoT issue I'd be grateful for some information to pass on to them - I've assumed it is not due to 1.1.0 still working.

WARNING: Connect request failure
MqttException (0) - java.io.IOException: WebSocket Response header: Incorrect connection header
	at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
	at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:690)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: WebSocket Response header: Incorrect connection header
	at org.eclipse.paho.client.mqttv3.internal.websocket.WebSocketHandshake.receiveHandshakeResponse(WebSocketHandshake.java:144)
	at org.eclipse.paho.client.mqttv3.internal.websocket.WebSocketHandshake.execute(WebSocketHandshake.java:74)
	at org.eclipse.paho.client.mqttv3.internal.websocket.WebSocketSecureNetworkModule.start(WebSocketSecureNetworkModule.java:77)
	at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:676)
	... 1 more

[jpwsutton]

Could this be related to: aws/aws-iot-device-sdk-java#5

[Typhlosaurus]

@jpwsutton I doubt it as the exception is different (my apologies: I added the exception details after you wrote your comment) and I do not need to disconnect/reconnect the network to generate the error - it happens whenever I try to connect using 1.1.1 (and has been reproduced in 3 environments - developer running on MacOs, developer on Windows and build server running linux).

[sandyperez]

Same problem here, downgrading to version 1.1.0 solves it. Best regards.

[beersheba]

AWS IoT is still incompatible with Paho > 1.1.0, throwing java.io.IOException: WebSocket Response header: Incorrect upgrade. There is 1.2.0 allready. Any advice how it can be resolved?

[jpwsutton]

Would it be possible with someone who has access to the AWS IoT service to copy and paste me a copy of a working example of their webockets header exchange please?

It looks like the upgrade part of the exchange is incorrect, but without seeing it I can't fix anything...

[jpwsutton]

@Typhlosaurus, @beersheba, @sandyperez, If anyone could send me a copy of the headers returned from AWS that would be great, otherwise I will try and recreate this when I get the opportunity.

[desokroshan]

@jpwsutton Following is snapshot of header returned by the AWS:

Please let me know if you need anything else.

[desokroshan]

Any updates on this?

[EddieRingle]

@jpwsutton @desokroshan I'm hitting this issue as well. Below are the request headers from both 1.1.0 as well as 1.2.1, where the latter gets the 403 response from AWS. Confidential details have been snipped, of course.

1.1.0 request headers:

GET /mqtt?X-Amz-Algorithm=<snip...> HTTP/1.1
Host: <snip...>.iot.us-east-1.amazonaws.com:443
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: bXF0dC0xNTUzNjI4MDg3
Sec-WebSocket-Protocol: mqttv3.1
Sec-WebSocket-Version: 13

1.2.1 request headers:

GET /mqtt?X-Amz-Algorithm=<snip...> HTTP/1.1
Host: <snip...>.iot.us-east-1.amazonaws.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: Y2Y2YzFhOGMtZTM4OS00ZA==
Sec-WebSocket-Protocol: mqtt
Sec-WebSocket-Version: 13

So, the differences from what I can see:

• Host header has a port specified in 1.1.0, but not in 1.2.1
• Sec-WebSocket-Protocol is using a non-standard 'mqttv3.1' in 1.1.0, and the standard 'mqtt' in 1.2.1 (See 3ddb38b)

[EddieRingle]

After modifying the latest develop branch to include the port number again, I made it past the Upgrade error but then entered a loop of connects/disconnects. (I'm using the AWS Java SDK: https://github.com/aws/aws-iot-device-sdk-java)

[aliozgun]

Is there any update on this issue? Using 1.1.0 at this point is not helping anymore. Iot-device-stk is brought down to 1.0.1

Thanks
Ali

[desokroshan]

@jpwsutton @icraggs Is there any update on this. AWS SDK for Android depends on paho and is unable to upgrade because of this error. This prevents us from using the bug fixes and features in the latest paho version. Can we have some idea of timeline for this?

[icraggs]

The latest release of the Paho Java client is 1.2.1. I presume this is still not working.

Does the same error occur if the connection attempt is made outside of Android, in a 'plain' Java environment? If so, that will make it easier to find and fix.

Can anyone supply a trace or other details of the protocol exchange? I'd hope not to have to create an AWS account to try this out. I could put some more debug info into the trace if necessary.

[aliozgun]

When I replayed the same update HTTP request from Postman I got signature error. It looks like the signature calculation is incorrect.

[icraggs]

Ah sorry, I hadn't seen the update request above posted.

[aliozgun]

Sorry I meant the HTTP upgrade request for websocket. That request fails with signature error and does not have the necessary response headers.

[desokroshan]

@icraggs I have tried with the 1.2.1 and am still getting the same error. Only version it works with is 1.1.0. Please let me know if you need anything else. This is blocking quite a few of our customers from using AWS IoT, so we would really appreciate a speedy resolution.

[icraggs]

Thanks. I think the post from @EddieRingle could contain the key in the handshake:

Sec-WebSocket-Protocol: mqttv3.1

We should hopefully be able to try it out. If anyone else can in the meantime, we could get a fix out quick.

[desokroshan]

The problem is not with Sec-WebSocket-Protocol being mqtt but with the missing port number in host header for websocket request. I have verified that adding the port back fixes the issue. I have issued a PR(referenced above) with the required fix.

[icraggs]

Ah yes, thanks. I've merged your fix, so we should be good to go in the next release.

[desokroshan]

Thanks! When can we expect next release to go out?

[icraggs]

I'll get one out next week - now there are two significant fixes.

By the way, once you were successfully connected, did things work as expected?

[desokroshan]

I'll get one out next week - now there are two significant fixes.

Thanks that would be great!

By the way, once you were successfully connected, did things work as expected?

Yes. I was able subscribe and publish messages successfully.

[icraggs]

1.2.2 release created.