• AVR Freaks

Hot!Unable to connect MQTT Client to AWS IoT using ATWINC1500

Author
karanbanthia
New Member
  • Total Posts : 18
  • Reward points : 0
  • Joined: 2012/09/18 09:29:29
  • Location: 0
  • Status: offline
2021/02/24 13:14:40 (permalink)
0

Unable to connect MQTT Client to AWS IoT using ATWINC1500

Hi All,
Requesting assistance on how to securely connect to AWS IoT MQTT broker on port 8883 using ATWINC1500. As I understand from documentation, 3 things are required:
  1. Private key
  2. Client certificate
  3. Root certificate
I have created a 'thing' in AWS IoT Core, downloaded it's keys, certificate and flashed the private key and certificate to ATWINC1500.
This gets updated successfully, and I can read and confirm the same.
 
I have flashed all root certificates for AWS + Mosquitto test broker 
 
Same code is used to connect with test.mosquitto.org and my AWS endpoint on port 8883. Connections works fine with mosquitto broker (it does not require client certificate), while it is denied/fails with AWS IoT. I am receiving error code as -12 on received socket.
 
Can someone share an example or a document on how to identify certificate installation and secure connection using ATWINC1500 ? Am I missing something here or doing something wrong ?
 
Below is my hardware and software configuration
Mirco-controller: PIC32MZ2048EFM100
Harmony: v2.06
FreeRTOS: v10
ATWINC1500 Firmware: 19.5.2
 
Thanks,
Karan
post edited by karanbanthia - 2021/02/24 13:21:19

Attached Image(s)

#1
aschen0866
Super Member
  • Total Posts : 4598
  • Reward points : 0
  • Joined: 2006/01/08 22:18:32
  • Location: San Diego
  • Status: offline
Re: Unable to connect MQTT Client to AWS IoT using ATWINC1500 2021/02/24 18:22:11 (permalink)
0
Since you can connect to the Mosquitto broker, I am wondering which version of AWS Root CA you uploaded to the WINC1500. The old AWS Root CA was signed by VeriSign and the new Root CAs were signed by Amazon Trust Services (ATS). If you are using ATS, the endpoint will have "-ats" in it, e.g., xxxx-ats.iot.us-east-1.amazonaws.com.
 
I'd suggest you try the Root CA, Client Certificate and Private Key using a MQTT client software such as MQTT.fx first to make sure you can connect to the broker.
#2
karanbanthia
New Member
  • Total Posts : 18
  • Reward points : 0
  • Joined: 2012/09/18 09:29:29
  • Location: 0
  • Status: offline
Re: Unable to connect MQTT Client to AWS IoT using ATWINC1500 2021/02/25 10:57:20 (permalink)
0
Yes. My endpoint is xxxx.-ats.iot.ap-south-1.amazonaws.com
I have downloaded all 5 (2 RSA + 2 ECC + 1 Starfield Root CA) certificates, including cross-signed, as per the latest recommendation.
I will test using MQTT.fx and update with the results. Thanks.
#3
karanbanthia
New Member
  • Total Posts : 18
  • Reward points : 0
  • Joined: 2012/09/18 09:29:29
  • Location: 0
  • Status: offline
Re: Unable to connect MQTT Client to AWS IoT using ATWINC1500 2021/03/06 04:06:51 (permalink)
0
The policy attached to device certificate was limiting connections!
Thanks a lot for recommending to test using MQTT.fx client. It will help in further testing as well.
#4
aschen0866
Super Member
  • Total Posts : 4598
  • Reward points : 0
  • Joined: 2006/01/08 22:18:32
  • Location: San Diego
  • Status: offline
Re: Unable to connect MQTT Client to AWS IoT using ATWINC1500 2021/03/06 09:39:39 (permalink)
0
karanbanthia
Yes. My endpoint is xxxx.-ats.iot.ap-south-1.amazonaws.com
I have downloaded all 5 (2 RSA + 2 ECC + 1 Starfield Root CA) certificates, including cross-signed, as per the latest recommendation.
I will test using MQTT.fx and update with the results. Thanks.


You don't need the ECC certificates unless you have hardware accelerator on your processor side. The WINC module can't perform ECC math and has to rely on the processor's help. The Starfield Root CA is needed if you need to access AWS S3 Bucket. For the MQTT connection, the AWS RSA 2048 Root CA is good enough for now.
#5
karanbanthia
New Member
  • Total Posts : 18
  • Reward points : 0
  • Joined: 2012/09/18 09:29:29
  • Location: 0
  • Status: offline
Re: Unable to connect MQTT Client to AWS IoT using ATWINC1500 2021/03/18 08:14:57 (permalink)
0
In case I want to use ECC certificates, then does it mean I will need to have the entire TCP/IP stack + Harmony Networking layer on the controller side ? and use ATWINC1500 in Ethernet mode ?
#6
aschen0866
Super Member
  • Total Posts : 4598
  • Reward points : 0
  • Joined: 2006/01/08 22:18:32
  • Location: San Diego
  • Status: offline
Re: Unable to connect MQTT Client to AWS IoT using ATWINC1500 2021/03/20 16:56:18 (permalink)
4 (1)
You'll need to use an external hardware crypto engine

7.4.5 ECC Cipher Suite
The ATWINC15x0 TLS library features support of ECC cipher suites. Although, the ATWINC15x0 device
does not contain a built-in hardware accelerator for ECC math, the WINC TLS library leverages the ECC
math from the host MCU. To perform the ECC computations needed by the ECC ciphers, an ECC
hardware accelerator (or software library) on the host MCU is mandatory.
The WINC TLS initializes with the ECC cipher suites disabled by default. The host MCU application can
enable the ciphers via the API sslSetActiveCipherSuites.

 
 
If your processor does not have a crypto engine, you can add a secure element product such as Microchip's ATECC608A.
 
post edited by aschen0866 - 2021/03/20 16:58:12
#7
Jump to:
© 2021 APG vNext Commercial Version 4.5