azure-iot-sdk-c icon indicating copy to clipboard operation
azure-iot-sdk-c copied to clipboard

Published 20 hours ago verified publisher icon Azure

TLS Certificate Changes Coming - no earlier than Feb 15th, 2023

Open danewalton opened this issue 3 years ago • 8 comments

Please see the blog post here for details on why this is important: https://techcommunity.microsoft.com/t5/internet-of-things/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169

danewalton avatar Jun 04 '21 17:06 danewalton

I see the G2 root cert was recently pushed in #1971. When are we planning a new SDK release/tag that we can point everyone to use, which includes the new G2 root?

khilscher avatar Jun 09 '21 16:06 khilscher

I see the G2 root cert was recently pushed in #1971. When are we planning a new SDK release/tag that we can point everyone to use, which includes the new G2 root?

Yes, that will happen in 1-2 weeks

ericwolz avatar Jul 23 '21 17:07 ericwolz

Is the connection string in the validation section of the blog post supposed to work? It does not for me.

I receive an error when I run the iothub_ll_telemetry_sample and compile with the connection string in the blog post hard coded: jlaird@AUTOSOL1195:~/azure-iot-sdk-c/cmake2/iothub_client/samples/iothub_ll_telemetry_sample$ ./iothub_ll_telemetry_sample

Creating IoTHub Device handle Sending message 1 to IoTHub Sending message 2 to IoTHub Sending message 3 to IoTHub Sending message 4 to IoTHub Sending message 5 to IoTHub

-> 13:56:38 CONNECT | VER: 4 | KEEPALIVE: 240 | FLAGS: 192 | USERNAME: g2cert.azure-devices.net/TestDevice1/?api-version=2020-09-30&DeviceClientType=iothubclient%2f1.7.0%20(native%3b%20Linux%3b%20x86_64) | PWD: XXXX | CLEAN: 0

<- 13:56:38 CONNACK | SESSION_PRESENT: false | RETURN_CODE: 0x5 The device client has been disconnected Error: Time:Tue Aug 31 13:56:38 2021 File:/home/jlaird/azure-iot-sdk-c/iothub_client/src/iothubtransport_mqtt_common.c Func:mqttOperationCompleteCallback Line:2075 Connection Not Accepted: 0x5: Not Authorized The device client has been disconnected

-> 13:56:38 CONNECT | VER: 4 | KEEPALIVE: 240 | FLAGS: 192 | USERNAME: g2cert.azure-devices.net/TestDevice1/?api-version=2020-09-30&DeviceClientType=iothubclient%2f1.7.0%20(native%3b%20Linux%3b%20x86_64) | PWD: XXXX | CLEAN: 0

<- 13:56:39 CONNACK | SESSION_PRESENT: false | RETURN_CODE: 0x5 The device client has been disconnected Error: Time:Tue Aug 31 13:56:39 2021 File:/home/jlaird/azure-iot-sdk-c/iothub_client/src/iothubtransport_mqtt_common.c Func:mqttOperationCompleteCallback Line:2075 Connection Not Accepted: 0x5: Not Authorized The device client has been disconnected

Steps: GIT clone branch LTS_07_2021_Ref01 cd azure-iot-sdk-c mkdir cmake2 cd cmake2 edit connection string in iothub_ll_telemetry_sample.c to reflect blog post cmake -Duse_amqp=OFF -Duse_http=OFF -Duse_sample_trusted_cert=ON .. cmake --build . ./iothub_ll_telemetry_sample

*edit error in order of steps

coffeeaddict19 avatar Aug 31 '21 19:08 coffeeaddict19

@coffeeaddict19 Yes, it's failing for me also. Investigating.

ericwolz avatar Aug 31 '21 22:08 ericwolz

@coffeeaddict19 Yes this is by design. As written in the blog, the key in the connection string is invalid. The only test to be done is to ensure a successful TLS handshake. The connection will fail authentication since there's no need to test beyond the TLS handshake. Does that make sense? As long as you're able to validate the server certificate after Server Hello, you should be good!

RamIoTMalhotra avatar Sep 02 '21 00:09 RamIoTMalhotra

For anyone that hits this in the future and would like further information on how to check that it is working properly, here is a link to a walkthrough dissecting a TLS connection using Wireshark. https://www.catchpoint.com/blog/wireshark-tls-handshake

danewalton avatar Sep 02 '21 01:09 danewalton

Thank you for the clarification. This helps a lot now I know exactly what to look for. Without the 'DigiCert Global Root G2' CA Certificate available or specified I see IOTHUB_CLIENT_CONNECTION_UNAUTHENTICATED and IOTHUB_CLIENT_CONNECTION_NO_NETWORK with the trace message:

Error: Time:Thu Sep 2 10:01:50 2021 File:/home/jlaird/azure-iot-sdk-c/c-utility/adapters/tlsio_openssl.c Func:send_handshake_bytes Line:734 error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Error: Time:Thu Sep 2 10:01:50 2021 File:/home/jlaird/azure-iot-sdk-c/umqtt/src/mqtt_client.c Func:onOpenComplete Line:454

Error: failure opening connection to endpoint

With the 'DigiCert Global Root G2' CA Certificate available or specified I see: IOTHUB_CLIENT_CONNECTION_UNAUTHENTICATED and IOTHUB_CLIENT_CONNECTION_NO_NETWORK with trace message: Error: Time:Thu Sep 2 10:02:32 2021 File:/home/jlaird/azure-iot-sdk-c/iothub_client/src/iothubtransport_mqtt_common.c Func:mqttOperationCompleteCallback Line:2075 Connection Not Accepted: 0x5: Not Authorized

openssl s_client -connect g2cert.azure-devices.net:8883 was a good tool as well.

coffeeaddict19 avatar Sep 02 '21 15:09 coffeeaddict19

@RamIoTMalhotra can we update the blob post to clarify this better?

ericwolz avatar Sep 02 '21 17:09 ericwolz

It has been now two and half years since this notice has been in place, and given the stage we are in the TLS certificate migration we will go ahead and close it. If you have any TLS issues related to the Azure CA certificate migration, please file a new issue for assistance. Much appreciated, Azure IoT SDK Team

ewertons avatar Jan 02 '24 19:01 ewertons