Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SDK Backend not building TLS with supported TLSv1.3 Cipher Suites #600

Closed
1 task
GeoSnipes opened this issue Dec 14, 2024 · 3 comments
Closed
1 task

SDK Backend not building TLS with supported TLSv1.3 Cipher Suites #600

GeoSnipes opened this issue Dec 14, 2024 · 3 comments
Labels
bug This issue is a bug. p2 This is a standard priority issue

Comments

@GeoSnipes
Copy link

Describe the bug

If you enable AWS IoT security policy TLS13_1_3_2022_10 which requires one of the following cipher suites:

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256

Then running the basic_connect fails with with: awscrt.exceptions.AwsCrtError: AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE: TLS (SSL) negotiation failed.

After doing a packet capture, I noticed the above cipher suites were missing from the Client Hello.

The issue only affects V2 of this SDK. I dont have issues with V1, curl, or any other mqtt library. I was able to replicate this on Windows, Mac, and an Amazon Linux 3 image. If I downgrade to TLS13_1_2_2022_10, it works.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

Sample basic_connect.py to connect

Current Behavior

Does not connect, TLS (SSL) negotiation failed

Reproduction Steps

  1. AWS IoT > Connect > Domain configurations
  2. Select the data-ats endpoint
  3. Under security policy select TLS13_1_3_2022_10.
  4. Save
  5. Install aws python sdk v2: python3 -m pip install awsiotsdk
  6. Download latest python sdk package with samples: git clone https://github.com/aws/aws-iot-device-sdk-python-v2.git
  7. Add Iot certs to known location on client
  8. Run

python3 ./aws-iot-device-sdk-python-v2/samples/basic_connect.py
--endpoint [endpoint]
--cert [path to client cert]
--key [path to client key]
--ca_file AmazonRootCA1.pem

Possible Solution

No response

Additional Information/Context

No response

SDK version used

1.22.0

Environment details (OS name and version, etc.)

Mac Sequoai 15.1.1
@GeoSnipes GeoSnipes added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 14, 2024
@jmklix
Copy link
Member

jmklix commented Dec 16, 2024

Thanks for the detailed issue description and reproduction steps. Sorry, but the IoT Device SDK does not currently support TLS 1.3 on macOS. This is a feature request that would need to be added in aws-crt-python.

@jmklix jmklix mentioned this issue Dec 17, 2024
Open
2 tasks
@jmklix
Copy link
Member

jmklix commented Dec 17, 2024

I created a feature request for this on aws-c-io

@jmklix jmklix closed this as completed Dec 17, 2024
@jmklix jmklix added p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Dec 17, 2024
@github-actions GitHub Actions
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmklix @GeoSnipes