AWS IoT: Just-in-Time Registration of Certificate in Android

0 votes

So, I'm attempting to integrate the JITR using this article.

So, I've been able to get through to authenticate the certificate using the command-line 'mosquitto_pub'.

When I try to run 'mosquitto_pub' command, it calls the lambda function to authorize it & attaches the policy. It, then, publishes the message to IoT successfully.

This is the command I've used.

mosquitto_pub --cafile ../root.cert --cert hassanAndCACert.crt --key hassan.key -h <###>.iot.us-east-1.amazonaws.com
-p 8883 -q 1 -t  topic5 -i  123456789 --tls-version tlsv1.2 -m '{"hello":"3"}' -d

But when I try to authenticate this in android SDK I am getting 'handshake' fail error, like so.

MqttException (0) - javax.net.ssl.SSLHandshakeException: Handshake failedat org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:664)at java.lang.Thread.run(Thread.java:818)Caused by: javax.net.ssl.SSLHandshakeException: Handshake failedat com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:441)at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:93)at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:650) ... 1 moreCaused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0xb91e9b40: Failure in SSL library, usually a protocol errorerror:100c5416:SSL routines:ssl3_read_bytes:SSLV3_ALERT_CERTIFICATE_UNKNOWN (external/boringssl/src/ssl/s3_pkt.c:972 0xb9215530:0x00000001)at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:353)

I've noticed, however, if the device-certificate is already active when we try to publish message through Android, it gets published without errors. The only problem is to authenticate the certificate at first call.

The only difference that I see between mosquitto call and the android-code is that PAHO-MQTT in AWS SDK needs to connect first before publishing, while the mosquitto is making a single command to connect and publish the message.

Dec 26, 2018 in IoT (Internet of Things) by Shubham
• 13,190 points
158 views

1 answer to this question.

0 votes

So, the SSL/TLS Handshake can fail due to a bunch of different reasons, like so.

  • Not sharing same cipher suites
  • Not sharing SSL versions
  • Certificate validation
  • Intent to change TLS version
  • Others issues

The approach I would suggest for you to figure out the problem is to install Wireshark and see the handshake messages. 

After which you can have more information on the SSL handshake failure based on the SSL alert message sent from server to client, and more importantly, where specifically it happened.

You could try the following:

answered Dec 26, 2018 by Upasana
• 8,430 points

Related Questions In IoT (Internet of Things)

0 votes
0 answers
0 votes
1 answer

Display time in a Windows Core IoT app with a clock!

It is possible, but you should understand ...READ MORE

answered Jul 9, 2018 in IoT (Internet of Things) by nirvana
• 3,060 points
75 views
0 votes
1 answer

AWS IoT login from android MQTT client using IAM is not working

Seeing your comments and questions. I had ...READ MORE

answered Jul 24, 2018 in IoT (Internet of Things) by anonymous2
• 4,260 points
254 views
0 votes
1 answer

AWS IoT - Access shadow through .Net, REST, with certificate

If you want to publish and/or subscribe ...READ MORE

answered Jul 25, 2018 in IoT (Internet of Things) by anonymous2
• 4,260 points
61 views
0 votes
1 answer

MQTT pubish is slow to send with ESP8266 & NodeMCU

I think you're almost correct and on ...READ MORE

answered Aug 1, 2018 in IoT (Internet of Things) by nirvana
• 3,060 points
606 views
0 votes
1 answer
0 votes
1 answer

Need to enclose MQTTCLient Instance in try catch block

The instance doesn't need to be surrounded by try/catch, but ...READ MORE

answered Aug 21, 2018 in IoT (Internet of Things) by anonymous2
• 4,260 points
58 views
0 votes
1 answer

How do I compare MQTT and TCP packets ?

It depends on the higher-level protocols (above ...READ MORE

answered Aug 27, 2018 in IoT (Internet of Things) by anonymous2
• 4,260 points
42 views
0 votes
1 answer

Possibility of on-premise installation Microsoft “Azure IoT Suite” in VPN

I think Microsoft already has a windows server 2016 allowing ...READ MORE

answered Jan 23 in IoT (Internet of Things) by Upasana
• 8,430 points
40 views
0 votes
1 answer

What is the time taken by a 200 byte message for transmission in a beacon-enabled network?

Now, data rates of IEEE 802.15.4 are ...READ MORE

answered Aug 23, 2018 in IoT (Internet of Things) by Upasana
• 8,430 points
32 views