3 years, 1 month ago.

Microsoft Azure IoT Hub cert is rejected during the handshake

I am using MBED TLS with MQTT to connect to the Azure IoT Hub. During the first handshake itself, the CA cert from Microsoft is rejected. I am using a K64F.

Mbed to Azure IoT Hub: version is 0.10

Opening network interface... Connected to the network successfully. IP address: 10.1.10.65

Time is now Fri Aug 23 15:30:14 2019 Connecting to host hublora.azure-devices.net:8883 ... [DBG ][TLSW]: mbedtls_ssl_conf_ca_chain() [INFO][TLSW]: Starting TLS handshake with hublora.azure-devices.net [DBG ][TLSW]: mbedtls_ssl_setup() [DBG ][TLSW]: Verifying certificate at depth 1:

[DBG ][TLSW]: cert. version : 3 serial number : 0F:2C:10:C9:5B:06:C0:93:7F:B8:D4:49:F8:3E:85:69 issuer name : C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root subject name : C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 issued on : 2016-05-20 12:51:57 expires on : 2024-05-20 12:51:57 signed using : RSA with SHA-256 RSA key size : 4096 bits basic constraints : CA=true, max_pathlen=0 key usage : Digital Signature, Key Cert Sign, CRL Sign ext key usage : TLS Web Server Authentication, TLS Web Client Authentication, OCSP Signing

[INFO][TLSW]: ! The certificate is not correctly signed by the trusted CA

[DBG ][TLSW]: Verifying certificate at depth 0:

[DBG ][TLSW]: cert. version : 3 serial number : 20:00:05:DD:5F:F5:41:2A:B7:FB:B1:05:62:00:00:00:05:DD:5F issuer name : C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 subject name : CN=*.azure-devices.net issued on : 2019-04-12 22:59:46 expires on : 2020-04-12 22:59:46 signed using : RSA with SHA-256 RSA key size : 2048 bits subject alt name : *.azure-devices.net, *.amqpws.azure-devices.net, *.su.management-azure-devices.net key usage : Digital Signature, Key Encipherment, Data Encipherment ext key usage : TLS Web Client Authentication, TLS Web Server Authentication

[INFO][TLSW]: No verification issue for this certificate

[DBG ][TLSW]: ssl_tls.c:5920: |1| x509_verify_cert() returned -9984 (-0x2700)

[ERR ][TLSW]: mbedtls_ssl_handshake() failed: -0x2700 (-9984): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed ERROR from MQTTNetwork connect is -3011

1 Answer

3 years, 1 month ago.

Hi Sudir,

I believe you haven't set the root CA with subject "Microsoft IT TLS CA 2" in your client as a trusted root CA, using the mbedtls_ssl_conf_ca_chain() API.

Is this the case?

Regards,

Mbed OS Support

Ron

Thanks Ron. This is a straight import of https://os.mbed.com/users/coisme/code/Mbed-to-Azure-IoT-Hub/ with just my credentials. That example by an ARM employee does not mention any such requirements for setting the root CA. Where would I set that root CA?

posted by Sudhir Kshirsagar 30 Aug 2019

Hi Sudhir, Afterr looking some more, I see that the certificate with "Microsoft IT TLS CA 2" subject is sent to your device in the certificate chain messge, and it is signed by by "Baltimore CyberTrust Root" root certificate, which is set in the MQTT_server_setting.h file as `SSL_CA_PEM`. So, I don't think this is the reason for failed certificate, unless you modified this variable in the settings file. I would suggest you enable more logs, for more information. What is your MBED_TRACE_MAX_LEVEL ?

posted by Ron Eldor 01 Sep 2019