Aws-iot-device-sdk-python-v2: AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE 1.0.6 (awscrt 0.5.13)
- [x] 我已经搜索过以前的类似问题,但没有找到任何解决方案
描述错误
将我的安装升级到awsiotsdk-1.0.6它停止使用 awscrt 无法授权 aws 的后端。 可能与 awscrt 升级到 0.5.13 相关。
SDK版本号
awsiotsdk-1.0.6
平台/操作系统/设备
rpi3b+
再现(观察到的行为)
将awsiotsdk升级到版本1.0.6 。
预期行为
应该按预期工作。
日志/输出
Apr 15 06:55:01 raspberrypi python3[581]: Connecting to something-east-1.amazonaws.com with client ID 'foo-bar-baz'...
Apr 15 06:55:01 raspberrypi python3[581]: Traceback (most recent call last):
Apr 15 06:55:01 raspberrypi python3[581]: File "app.py", line 86, in <module>
Apr 15 06:55:01 raspberrypi python3[581]: connect_future.result()
Apr 15 06:55:01 raspberrypi python3[581]: File "/usr/lib/python3.7/concurrent/futures/_base.py", line 432, in result
Apr 15 06:55:01 raspberrypi python3[581]: return self.__get_result()
Apr 15 06:55:01 raspberrypi python3[581]: File "/usr/lib/python3.7/concurrent/futures/_base.py", line 384, in __get_result
Apr 15 06:55:01 raspberrypi python3[581]: raise self._exception
Apr 15 06:55:01 raspberrypi python3[581]: awscrt.exceptions.AwsCrtError: AwsCrtError(name='AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE', message='TLS (SSL) negotiation failed', code=1029)
Apr 15 06:55:01 raspberrypi systemd[1]: app.service: Main process exited, code=exited, status=1/FAILURE
guidance
mkozjak
所有17条评论
我遇到了同样的问题。
adolfogc
于 2020-04-15
在搜索 CPPv2 SDK 的类似问题时浏览了您的帖子,我认为该问题基于相同的底层功能。 我发现 CPPv2 SDK 试图验证完整的信任链,而不仅仅是我提供的 CA 证书——但我的设备上不存在完整的信任链。 通过将 /etc/ssl/certs/ca-certificates.crt 从我的 Ubuntu 机器复制到我的设备上并将其传递给 Aws::Iot::MqttClientConnectionConfigBuilder::WithCertificateAuthority() 方法,我能够提供一个完整的信任存储. 不确定这个方法的 Python 等价物是什么,但它必须存在——希望这个提示对你有所帮助!
更新:在 C++ SDK 的最后一个版本中,我还看到 S2N(AWS TLS 堆栈)将选择 ECDSA 进行签名,但代码库的发布版本不支持该功能。
jsakwa
于 2020-04-17
@jsakwa的建议似乎很合理。
你能用--root-ca集运行samples/pubsub.py吗? 通常,您会通过此处提供的 Amazon Root CA 1 文件
graebm
于 2020-04-22
@graebm ,没有带宽来测试 atm。 对你起作用吗? 如果它确实有效,那会感觉不自然,因为文档清楚地表明,如果信任根尚未安装在您的机器上并且它在我的机器上(它在降级后有效),则应该使用该开关。
mkozjak
于 2020-04-22
@graebm我刚刚再次测试。 1.0.5 版运行良好。 使用版本 1.0.6 时会出现此问题。 我正在使用您提到的那个 CA 签名的证书(不是已弃用的证书)。
这个测试是在 Docker 容器中使用pubsub.py和--root-ca 。
这是调试输出的摘录:
(...)
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfc006320: Scheduling attempt_connection task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfc006320: Running attempt_connection task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: initializing with domain 1 and type 0
Unsupported setsockopt level=1 optname=16384
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: setting socket options to: keep-alive 0, keep idle 0, keep-alive interval 0, keep-alive probe count 0.
[WARN ] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: setsockopt() for NO_SIGNAL failed with errno 92. If you are having SIGPIPE signals thrown, you may want to install a signal trap in your application layer.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: beginning connect.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: connecting to endpoint [redacted]:443.
[ERROR] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: connect failed with error code 99.
[INFO ] [2020-04-25T22:14:14Z] [fdeff460] [dns] - id=0xff2df650: recording failure for record [redacted] for [redacted].iot.us-east-1.amazonaws.com, moving to bad list
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [dns] - static: purging address [redacted] for host [redacted].iot.us-east-1.amazonaws.com from the cache due to cache eviction or shutdown
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: is still open, closing...
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: closing
[ERROR] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: failed to create socket with error 1055
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfc006450: Scheduling attempt_connection task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfc006450: Running attempt_connection task with <Running> status
Unsupported setsockopt level=1 optname=16384
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: initializing with domain 0 and type 0
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: setting socket options to: keep-alive 0, keep idle 0, keep-alive interval 0, keep-alive probe count 0.
[WARN ] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: setsockopt() for NO_SIGNAL failed with errno 92. If you are having SIGPIPE signals thrown, you may want to install a signal trap in your application layer.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: beginning connect.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: connecting to endpoint [redacted]:443.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503440: Scheduling (null) task for future execution at time 3166071860135
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503488: Scheduling epoll_event_loop_unsubscribe_cleanup task for immediate execution
[INFO ] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: connection success
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: local endpoint 172.17.0.2:58438
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: assigning to event loop 0xff281f60
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: client connection on socket 0xfd502a50 completed with error 0.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: Beginning creation and setup of new channel.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503c48: Scheduling on_channel_setup_complete task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503488: Running epoll_event_loop_unsubscribe_cleanup task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503c48: Running on_channel_setup_complete task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: setup complete, notifying caller.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: no message pool is currently stored in the event-loop local storage, adding 0xfd504740 with max message size 16384, message count 4, with 4 small blocks of 128 bytes.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: channel 0xfd504088 setup succeeded: bootstrapping.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket-handler] - id=0xfd514e68: Socket handler created with max_read_size of 16384
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd515038: Scheduling tls_timeout task for future execution at time 3165183175311
[WARN ] [2020-04-25T22:14:14Z] [fdeff460] [tls-handler] - id=0xfd515020: negotiation failed with error Invalid signature algorithm (Error encountered in /tmp/pip-wheel-tiv_gdev/awscrt/aws-common-runtime/s2n/tls/s2n_client_cert_verify.c line 96)
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: tls negotiation result 1029 on channel 0xfd504088
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5041c8: Scheduling channel_shutdown task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: Channel shutdown is already pending, not scheduling another.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5041c8: Running channel_shutdown task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: beginning shutdown process
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: handler 0xfd514e68 shutdown in read dir completed.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [tls-handler] - id=0xfd515020: Shutting down read direction with error code 1029
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: handler 0xfd515020 shutdown in read dir completed.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5040a0: Scheduling (null) task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5040a0: Running (null) task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [tls-handler] - id=0xfd515020: Shutting down write direction
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: handler 0xfd515020 shutdown in write dir completed.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: closing
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503c00: Scheduling epoll_event_loop_unsubscribe_cleanup task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd514ec8: Scheduling socket_handler_close task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503c00: Running epoll_event_loop_unsubscribe_cleanup task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd514ec8: Running socket_handler_close task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: handler 0xfd514e68 shutdown in write dir completed.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5040a0: Scheduling (null) task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5040a0: Running (null) task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: during shutdown, canceling task 0xfd515038
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd515038: Running tls_timeout task with <Canceled> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: channel 0xfd504088 shutdown with error 1029.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: destroying channel.
Traceback (most recent call last):
File "/opt/controller/pubsub.py", line 141, in <module>
connect_future.result()
File "/usr/local/lib/python3.7/concurrent/futures/_base.py", line 435, in result
return self.__get_result()
File "/usr/local/lib/python3.7/concurrent/futures/_base.py", line 384, in __get_result
raise self._exception
awscrt.exceptions.AwsCrtError: AwsCrtError(name='AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE', message='TLS (SSL) negotiation failed', code=1029)
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-client] - id=0xff3408e0: user called disconnect.
[ERROR] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-client] - id=0xff3408e0: Connection is not open, and may not be closed
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-client] - id=0xff3408e0: Destroying connection
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-topic-tree] - tree=0xff340960: Cleaning up topic tree
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-client] - client=0xfe8bff28: Cleaning up MQTT client
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [channel-bootstrap] - id=0xff3109a0: releasing bootstrap reference
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [channel-bootstrap] - id=0xff3109a0: destroying
👍1
嗯......我们最近确实更新了我们的密码偏好。 您是否有机会获得 TLS 握手的 Wireshark 捕获并发布客户端和服务器 hello 消息?
JonathanHenson
于 2020-04-26
嘿@JonathanHenson @graebm,如果它使用与 CPPv2 SDK 相同的 S2N 堆栈,我观察到在我系统上的最新 SDK 版本 v1.5.5 中,这也会失败,因为设备宣传支持 ECDSA,但 S2N 堆栈仅支持RSA,并在协商期间选择 ECDSA。 adolfogc 的日志在该特定故障模式下看起来与我的相同。
我试图在 master 上引入 S2N 版本,它应该支持 ECDSA,但至少在我的系统上这也失败了,因为它会以某种方式尝试使用来自 RSA 代码的 ECDSA 密钥。 我打算解决这个问题并向 S2N 提交拉取请求,但还没有解决。
我目前正在使用 CPPv2 SDK 的 v1.5.1,它协商在挑战步骤中始终使用 RSA
jsakwa
于 2020-04-26
👍1
好的,我现在知道该往哪里看,但是你有没有机会给我拍一张握手截图,这样我就可以去看看这个 s2n 的一面了?
JonathanHenson
于 2020-04-26
嗨@JonathanHenson ,以下就足够了吗?
客户您好:
服务器您好:
握手:
adolfogc
于 2020-04-26
警报是从客户端还是服务器发送的?
看起来SNI也是空的? 这也会导致谈判失败。 你设置的服务器名称是什么?
JonathanHenson
于 2020-04-27
@JonathanHenson我使用的是旧端点( <endpoint-id>.iot.us-east-1.amazonaws.com ),我切换到 ATS 端点( <endpoint-id>-ats.iot.us-east-1.amazonaws.com ),现在它可以工作了。 谢谢你的帮助!
adolfogc
于 2020-04-27
❤2
👍2
根据https://aws.amazon.com/blogs/iot/aws-iot-core-ats-endpoints/我们应该尽快切换到-ats 、 @adolfogc 、@JonathanHenson?
mkozjak
于 2020-04-27
@mkozjak我做了,问题解决了
adolfogc
于 2020-04-27
🎉2
感谢马里奥在这里分享该帖子的链接。 再次: https :
V2 设备 SDK 的默认配置将不再适用于旧的非 ATS 端点。 运行aws --region <region> iot describe-endpoint --endpoint-type "iot:Data-ATS"以获取 ATS 端点。
DavidOgunsAWS
于 2020-05-06
👍3
我在使用 aws iot python sdk v2 时遇到了持久性 TLS 协商失败,尽管使用了 .ats 端点,但正如 aws 博客中所建议的,能够通过将根证书切换到 AmazonRootCA1 证书来解决问题G2-RootCA1 证书。
LaurensonR
于 2020-06-30
你好呀,
从旧 sdk 迁移到 v2(v1.5.0) 时,即使我在 Windows10、Ubuntu18 或 MacOS 的多个环境中尝试过,我也被这个错误困住了 2 小时。
旧的 sdk 示例basicPubSub.py仅适用于我的密钥、证书和 rootCA1
但是新的 sdk 示例pubsub.py不适用于相同的密钥和策略
[ERROR] [2020-09-25T11:11:31Z] [00004ed8] [socket] - id=000001A7825DF580 handle=0000000000000320: connect completion triggered with error -1073741305
[ERROR] [2020-09-25T11:11:31Z] [00004ed8] [socket] - id=000001A7825DF580 handle=0000000000000320: connection error with code 1055
[INFO] [2020-09-25T11:11:31Z] [00004ed8] [dns] - id=000001A7802A2780: recording failure for record xxx for xxx-ats.iot.ap-southeast-1.amazonaws.com, moving to bad list
[ERROR] [2020-09-25T11:11:31Z] [00004ed8] [tls-handler] - id=000001A782BE3580: Error during negotiation. SECURITY_STATUS is -2146892953
[ERROR] [2020-09-25T11:11:31Z] [00004ed8] [socket] - id=000001A7825E0C00 handle=000000000000032C: WriteFile() failed with error 64
我必须输入端口才能工作,希望它也能帮助你。
mqtt_connection_builder.mtls_from_path(
...
port=8883)
问候,
贾斯汀
justindannguyen
于 2020-09-25
很抱歉你遇到了贾斯汀的麻烦。 您是否尝试过示例自述文件中给出的 pubsub 示例策略?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:region:account:topic/test/topic"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:region:account:topicfilter/test/topic"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:region:account:client/test-*"
]
}
]
}
如果这不起作用,如果您仍然遇到困难,请随时打开一个新问题。 我们不能保证会看到有关已解决问题的消息。
jmklix
于 2020-09-25
此页面是否有帮助?
0 / 5 - 0 等级
相关问题
mkozjak
·
8评论
GauravPatni
·
4评论
Sanrro10
·
16评论
banuprathap
·
10评论
qcabrol
·
8评论
最有用的评论
@JonathanHenson我使用的是旧端点(
<endpoint-id>.iot.us-east-1.amazonaws.com),我切换到 ATS 端点(<endpoint-id>-ats.iot.us-east-1.amazonaws.com),现在它可以工作了。 谢谢你的帮助!