SampleApp couldn't establish connection.

[xiaow6]

We have problem to establish connection with AVS while we are testing RAR on SampleAPP.
Before yesterday, we disabled peer verify and it was okay to establish connection.
In prepareForTLS, we changed: SETOPT(handle, CURLOPT_SSL_VERIFYPEER, 2L)， -> SETOPT(handle, CURLOPT_SSL_VERIFYPEER, 0L)，
But since yesterday, we couldn't establish connection and the log is (repeatingly):
HTTP2Transport::establishConnection -> long downchannelResponseCode = m_downchannelStream->getResponseCode(); return 0
E HTTP2Transport:networkLoopRetryingToConnect:reason=establishConnectionFailed,retryCount=1
Did the server modify its rules?

We tried to enable peer verify, but libcurl return this error: Peer certificate cannot be authenticated with given CA certificates.
Do we need to load any specified certificates and how to implement it?

Some detailed log printed by libcurl if we enable peer verify:

• Hostname avs-alexa-na.amazon.com was found in DNS cache
• Trying 54.239.25.188...
• TCP_NODELAY set
• Connected to avs-alexa-na.amazon.com (54.239.25.188) port 443 (make error: The LWA response body indicated an unrecoverable error: invalid_grant #2)
• ALPN, offering h2
• ALPN, offering http/1.1
• Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@strength
• OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to avs-alexa-na.amazon.com:443
• stopped the pause stream!
• Closing connection 2

[xiaow6]

I did a test on our CA, this is the result to connect to a example server:
root@TinaLinux:/etc# curl -vI https://www.example.com

• Rebuilt URL to: https://www.example.com/
• Trying 93.184.216.34...
• TCP_NODELAY set
• Connected to www.example.com (93.184.216.34) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@strength
• TLSv1.2 (OUT), TLS header, Certificate Status (22):
• TLSv1.2 (OUT), TLS handshake, Client hello (1):
• TLSv1.2 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS handshake, Server finished (14):
• TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
• TLSv1.2 (OUT), TLS change cipher, Client hello (1):
• TLSv1.2 (OUT), TLS handshake, Finished (20):
• TLSv1.2 (IN), TLS change cipher, Client hello (1):
• TLSv1.2 (IN), TLS handshake, Finished (20):
• SSL connection using TLSv1.2 / AES128-GCM-SHA256
• ALPN, server accepted to use h2
• Server certificate:
• subject: C=US; ST=California; L=Los Angeles; O=Internet Corporation for Assigned Names and Numbers; OU=Technology; CN=www.example.org
• start date: Nov 3 00:00:00 2015 GMT
• expire date: Nov 28 12:00:00 2018 GMT
• subjectAltName: host "www.example.com" matched cert's "www.example.com"
• issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
• SSL certificate verify ok.
• Using HTTP2, server supports multi-use
• Connection state changed (HTTP/2 confirmed)
• Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
• Using Stream ID: 1 (easy handle 0x37018)

HEAD / HTTP/2
Host: www.example.com
User-Agent: curl/7.54.0
Accept: /

• Connection state changed (MAX_CONCURRENT_STREAMS updated)!
  < HTTP/2 200
  HTTP/2 200
  < content-encoding: gzip
  content-encoding: gzip
  < accept-ranges: bytes
  accept-ranges: bytes
  < cache-control: max-age=604800
  cache-control: max-age=604800
  < content-type: text/html
  content-type: text/html
  < date: Thu, 21 Sep 2017 06:06:21 GMT
  date: Thu, 21 Sep 2017 06:06:21 GMT
  < etag: "359670651+gzip"
  etag: "359670651+gzip"
  < expires: Thu, 28 Sep 2017 06:06:21 GMT
  expires: Thu, 28 Sep 2017 06:06:21 GMT
  < last-modified: Fri, 09 Aug 2013 23:54:35 GMT
  last-modified: Fri, 09 Aug 2013 23:54:35 GMT
  < server: ECS (cpm/F9FC)
  server: ECS (cpm/F9FC)
  < x-cache: HIT
  x-cache: HIT
  < content-length: 606
  content-length: 606

[xiaow6]

And here is the same steps to connect to target Amazon server:
root@TinaLinux:/etc# curl -vI https://api.amazon.com/auth/o2/token

• Trying 54.239.29.128...
• TCP_NODELAY set
• Connected to api.amazon.com (54.239.29.128) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@strength
• TLSv1.2 (OUT), TLS header, Certificate Status (22):
• TLSv1.2 (OUT), TLS handshake, Client hello (1):
• TLSv1.2 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (OUT), TLS alert, Server hello (2):
• SSL certificate problem: certificate is not yet valid
• stopped the pause stream!
• Closing connection 0
• TLSv1.2 (OUT), TLS alert, Client hello (1):
  curl: (60) SSL certificate problem: certificate is not yet valid
  More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.

[xiaow6]

Not sure if it's the CA issue or Amazon server issue, it works now.

[kjkh]

Hi,
If this reoccurs, please re-open the issue and we can help investigate further.