Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support TLS 1.3 on Mac #699

Open
2 tasks
jmklix opened this issue Dec 17, 2024 · 2 comments
Open
2 tasks

Support TLS 1.3 on Mac #699

jmklix opened this issue Dec 17, 2024 · 2 comments
Labels
feature-request A feature should be added or improved. p2 This is a standard priority issue

Comments

@jmklix
Copy link
Member

jmklix commented Dec 17, 2024
edited
Loading

Describe the feature

Original bug opened on aws-iot-device-sdk-python-v2:

Describe the bug

If you enable AWS IoT security policy TLS13_1_3_2022_10 which requires one of the following cipher suites:

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256

Then running the basic_connect fails with with: awscrt.exceptions.AwsCrtError: AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE: TLS (SSL) negotiation failed.

After doing a packet capture, I noticed the above cipher suites were missing from the Client Hello.

The issue only affects V2 of this SDK. I dont have issues with V1, curl, or any other mqtt library. I was able to replicate this on Windows, Mac, and an Amazon Linux 3 image. If I downgrade to TLS13_1_2_2022_10, it works.

Expected Behavior

Sample basic_connect.py to connect

Current Behavior

Does not connect, TLS (SSL) negotiation failed

Reproduction Steps

  1. AWS IoT > Connect > Domain configurations
  2. Select the data-ats endpoint
  3. Under security policy select TLS13_1_3_2022_10.
  4. Save
  5. Install aws python sdk v2: python3 -m pip install awsiotsdk
  6. Download latest python sdk package with samples: git clone https://github.com/aws/aws-iot-device-sdk-python-v2.git
  7. Add Iot certs to known location on client
  8. Run

python3 ./aws-iot-device-sdk-python-v2/samples/basic_connect.py
--endpoint [endpoint]
--cert [path to client cert]
--key [path to client key]
--ca_file AmazonRootCA1.pem

SDK version used

1.22.0

Environment details (OS name and version, etc.)

Mac Sequoai 15.1.1

Use Case

Use TSL 1.3 on Mac with the aws-iot-device-sdk-python-v2

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change
@jmklix jmklix added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Dec 17, 2024
@jmklix jmklix mentioned this issue Dec 17, 2024
Closed
1 task
@GeoSnipes
Copy link

GeoSnipes commented Dec 18, 2024
edited
Loading

Note, this does not only affect MAC. at the time of posting the original ticket, it was reproducible on Windows, Mac, and using the Amazon Linux 2 and 3 image.

@waahm7
Copy link
Contributor

waahm7 commented Dec 18, 2024

@GeoSnipes This should not effect Linux. Please create a new issue if you are having problems. For Windows, we have a separate issue #609 where we are tracking this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmklix @waahm7 @GeoSnipes