Trouble with AWS API Gateway

Hello,
i have a problem to connect my hardware to AWS.
My configuration is copied by example for AWS_Iot_Device (library version 2.9.0 given by Keil Pack Installer) and it is this:
/*

• Configuration template
• Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
• SPDX-License-Identifier: Apache-2.0
• Licensed under the Apache License, Version 2.0 (the “License”); you may
• not use this file except in compliance with the License.
• You may obtain a copy of the License at
• http://www.apache.org/licenses/LICENSE-2.0
• Unless required by applicable law or agreed to in writing, software
• distributed under the License is distributed on an “AS IS” BASIS, WITHOUT
• WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
• See the License for the specific language governing permissions and
• limitations under the License.
• This file is part of mbed TLS (https://tls.mbed.org)
  */

/* mbed TLS feature support */
#define MBEDTLS_ENTROPY_HARDWARE_ALT
#define MBEDTLS_AES_ROM_TABLES
//#define MBEDTLS_CAMELLIA_SMALL_MEMORY
#define MBEDTLS_CIPHER_MODE_CBC
#define MBEDTLS_CIPHER_MODE_CFB
#define MBEDTLS_CIPHER_MODE_CTR
#define MBEDTLS_CIPHER_PADDING_PKCS7
#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
#define MBEDTLS_CIPHER_PADDING_ZEROS
#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
//#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
//#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
//#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
//#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
//#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
//#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
//#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
//#define MBEDTLS_ECP_DP_BP256R1_ENABLED
//#define MBEDTLS_ECP_DP_BP384R1_ENABLED
//#define MBEDTLS_ECP_DP_BP512R1_ENABLED
//#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
#define MBEDTLS_ECP_NIST_OPTIM
#define MBEDTLS_ECDSA_DETERMINISTIC
//#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
//#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
//#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
//#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
//#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
//#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
//#define MBEDTLS_PK_PARSE_EC_EXTENDED
//#define MBEDTLS_ERROR_STRERROR_DUMMY
#define MBEDTLS_GENPRIME
//#define MBEDTLS_FS_IO
//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
#define MBEDTLS_NO_PLATFORM_ENTROPY
//#define MBEDTLS_ENTROPY_FORCE_SHA256
//#define MBEDTLS_ENTROPY_NV_SEED
//#define MBEDTLS_MEMORY_DEBUG
//#define MBEDTLS_MEMORY_BACKTRACE
//#define MBEDTLS_PK_RSA_ALT_SUPPORT
#define MBEDTLS_PKCS1_V15
//#define MBEDTLS_PKCS1_V21
//#define MBEDTLS_RSA_NO_CRT
#define MBEDTLS_SELF_TEST
//#define MBEDTLS_SHA256_SMALLER
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
//#define MBEDTLS_SSL_DEBUG_ALL
#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
//#define MBEDTLS_SSL_FALLBACK_SCSV
//#define MBEDTLS_SSL_HW_RECORD_ACCEL
//#define MBEDTLS_SSL_CBC_RECORD_SPLITTING
//#define MBEDTLS_SSL_RENEGOTIATION
//#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
//#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
//#define MBEDTLS_SSL_PROTO_SSL3
//#define MBEDTLS_SSL_PROTO_TLS1
//#define MBEDTLS_SSL_PROTO_TLS1_1
#define MBEDTLS_SSL_PROTO_TLS1_2
//#define MBEDTLS_SSL_PROTO_DTLS
#define MBEDTLS_SSL_ALPN
//#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
//#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
//#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
//#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
//#define MBEDTLS_SSL_SESSION_TICKETS
//#define MBEDTLS_SSL_EXPORT_KEYS
#define MBEDTLS_SSL_SERVER_NAME_INDICATION
//#define MBEDTLS_SSL_TRUNCATED_HMAC
#define MBEDTLS_VERSION_FEATURES
//#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
#define MBEDTLS_X509_CHECK_KEY_USAGE
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
//#define MBEDTLS_X509_RSASSA_PSS_SUPPORT

/* mbed TLS modules */
#define MBEDTLS_AES_C
//#define MBEDTLS_ARC4_C
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_BASE64_C
#define MBEDTLS_BIGNUM_C
//#define MBEDTLS_BLOWFISH_C
//#define MBEDTLS_CAMELLIA_C
//#define MBEDTLS_CCM_C
//#define MBEDTLS_CERTS_C
#define MBEDTLS_CIPHER_C
//#define MBEDTLS_CMAC_C
#define MBEDTLS_CTR_DRBG_C
//#define MBEDTLS_DEBUG_C
//#define MBEDTLS_DES_C
//#define MBEDTLS_DHM_C
#define MBEDTLS_ECDH_C
#define MBEDTLS_ECDSA_C
//#define MBEDTLS_ECJPAKE_C
#define MBEDTLS_ECP_C
#define MBEDTLS_ENTROPY_C
//#define MBEDTLS_ERROR_C
#define MBEDTLS_GCM_C
//#define MBEDTLS_HAVEGE_C
#define MBEDTLS_HMAC_DRBG_C
#define MBEDTLS_MD_C
//#define MBEDTLS_MD2_C
//#define MBEDTLS_MD4_C
//#define MBEDTLS_MD5_C
//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
#define MBEDTLS_NET_C
#define MBEDTLS_OID_C
#define MBEDTLS_PEM_PARSE_C
//#define MBEDTLS_PEM_WRITE_C
#define MBEDTLS_PK_C
#define MBEDTLS_PK_PARSE_C
//#define MBEDTLS_PK_WRITE_C
//#define MBEDTLS_PKCS5_C
//#define MBEDTLS_PKCS11_C
//#define MBEDTLS_PKCS12_C
#define MBEDTLS_PLATFORM_C
//#define MBEDTLS_RIPEMD160_C
#define MBEDTLS_RSA_C
#define MBEDTLS_SHA1_C
#define MBEDTLS_SHA256_C
#define MBEDTLS_SHA512_C
//#define MBEDTLS_SSL_CACHE_C
//#define MBEDTLS_SSL_COOKIE_C
//#define MBEDTLS_SSL_TICKET_C
#define MBEDTLS_SSL_CLI_C
//#define MBEDTLS_SSL_SRV_C
#define MBEDTLS_SSL_TLS_C
//#define MBEDTLS_THREADING_C
//#define MBEDTLS_TIMING_C
#define MBEDTLS_VERSION_C
#define MBEDTLS_X509_USE_C
#define MBEDTLS_X509_CRT_PARSE_C
//#define MBEDTLS_X509_CRL_PARSE_C
//#define MBEDTLS_X509_CSR_PARSE_C
//#define MBEDTLS_X509_CREATE_C
//#define MBEDTLS_X509_CRT_WRITE_C
//#define MBEDTLS_X509_CSR_WRITE_C
//#define MBEDTLS_XTEA_C

/* Module configuration options */

/* MPI / BIGNUM options */
#define MBEDTLS_MPI_WINDOW_SIZE 1 /**< Maximum windows size used. */

/* ECP options */
#define MBEDTLS_ECP_WINDOW_SIZE 2 /< Maximum window size used */
#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /< Disable fixed-point speed-up */

/* Entropy options */
#define MBEDTLS_ENTROPY_MAX_SOURCES 2 /**< Maximum number of sources supported */

/* SSL options */
#define MBEDTLS_SSL_MAX_CONTENT_LEN 5000 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */

#include “check_config.h”

#endif /* MBEDTLS_CONFIG_H */

When i try to connect i have this error:

. Seeding the random number generator… ok
ok (0 skipped)
. Connecting to tcp/izglhlyv18.execute-api.eu-west-1.amazonaws.com/443… ok
. Setting up the SSL/TLS structure… ok
. Performing the SSL/TLS handshake…ssl_tls.c:6718: => handshake
ssl_cli.c:3389: client state: 0
ssl_tls.c:2473: => flush output
ssl_tls.c:2485: <= flush output
ssl_cli.c:3389: client state: 1
ssl_tls.c:2473: => flush output
ssl_tls.c:2485: <= flush output
ssl_cli.c:0773: => write client hello
ssl_cli.c:0810: client hello, max version: [3:3]
ssl_cli.c:0820: dumping ‘client hello, random bytes’ (32 bytes)
ssl_cli.c:0820: 0000: b2 01 44 9f 6c 8e 02 84 bb 48 17 4c 09 b7 83 bb …D.l…H.L…
ssl_cli.c:0820: 0010: e5 f5 e8 94 57 d0 f6 c6 36 e9 4b 1c ab d6 d0 d6 …W…6.K…
ssl_cli.c:0873: client hello, session id len.: 0
ssl_cli.c:0874: dumping ‘client hello, session id’ (0 bytes)
ssl_cli.c:0920: client hello, add ciphersuite: c09d
ssl_cli.c:0920: client hello, add ciphersuite: 003d
ssl_cli.c:0920: client hello, add ciphersuite: 0035
ssl_cli.c:0920: client hello, add ciphersuite: c0a1
ssl_cli.c:0920: client hello, add ciphersuite: c09c
ssl_cli.c:0920: client hello, add ciphersuite: 003c
ssl_cli.c:0920: client hello, add ciphersuite: 002f
ssl_cli.c:0920: client hello, add ciphersuite: c0a0
ssl_cli.c:0920: client hello, add ciphersuite: 000a
ssl_cli.c:0920: client hello, add ciphersuite: 00b7
ssl_cli.c:0920: client hello, add ciphersuite: 0095
ssl_cli.c:0920: client hello, add ciphersuite: 00b6
ssl_cli.c:0920: client hello, add ciphersuite: 0094
ssl_cli.c:0920: client hello, add ciphersuite: 0093
ssl_cli.c:0920: client hello, add ciphersuite: c0a5
ssl_cli.c:0920: client hello, add ciphersuite: 00af
ssl_cli.c:0920: client hello, add ciphersuite: 008d
ssl_cli.c:0920: client hello, add ciphersuite: c0a9
ssl_cli.c:0920: client hello, add ciphersuite: c0a4
ssl_cli.c:0920: client hello, add ciphersuite: 00ae
ssl_cli.c:0920: client hello, add ciphersuite: 008c
ssl_cli.c:0920: client hello, add ciphersuite: c0a8
ssl_cli.c:0920: client hello, add ciphersuite: 008b
ssl_cli.c:0928: client hello, got 23 ciphersuites (excluding SCSVs)
ssl_cli.c:0937: adding EMPTY_RENEGOTIATION_INFO_SCSV
ssl_cli.c:0986: client hello, compress len.: 1
ssl_cli.c:0987: client hello, compress alg.: 0
ssl_cli.c:0189: client hello, adding signature_algorithms extension
ssl_cli.c:1061: client hello, total extension length: 14
ssl_tls.c:2766: => write record
ssl_tls.c:2909: output record: msgtype = 22, version = [3:1], msglen = 107
ssl_tls.c:2914: dumping ‘output record sent to network’ (112 bytes)
ssl_tls.c:2914: 0000: 16 03 01 00 6b 01 00 00 67 03 03 b2 01 44 9f 6c …k…g…D.l
ssl_tls.c:2914: 0010: 8e 02 84 bb 48 17 4c 09 b7 83 bb e5 f5 e8 94 57 …H.L…W
ssl_tls.c:2914: 0020: d0 f6 c6 36 e9 4b 1c ab d6 d0 d6 00 00 30 c0 9d …6.K…0…
ssl_tls.c:2914: 0030: 00 3d 00 35 c0 a1 c0 9c 00 3c 00 2f c0 a0 00 0a .=.5…<./…
ssl_tls.c:2914: 0040: 00 b7 00 95 00 b6 00 94 00 93 c0 a5 00 af 00 8d …
ssl_tls.c:2914: 0050: c0 a9 c0 a4 00 ae 00 8c c0 a8 00 8b 00 ff 01 00 …
ssl_tls.c:2914: 0060: 00 0e 00 0d 00 0a 00 08 06 01 05 01 04 01 03 01 …
ssl_tls.c:2473: => flush output
ssl_tls.c:2491: message length: 112, out_left: 112
ssl_tls.c:2498: ssl->f_send() returned 112 (-0xffffff90)
ssl_tls.c:2525: <= flush output
ssl_tls.c:2924: <= write record
ssl_cli.c:1088: <= write client hello
ssl_cli.c:3389: client state: 2
ssl_tls.c:2473: => flush output
ssl_tls.c:2485: <= flush output
ssl_cli.c:1481: => parse server hello
ssl_tls.c:3811: => read record
ssl_tls.c:2254: => fetch input
ssl_tls.c:2414: in_left: 0, nb_want: 5
ssl_tls.c:2438: in_left: 0, nb_want: 5
ssl_tls.c:2440: ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2460: <= fetch input
ssl_tls.c:3554: dumping ‘input record header’ (5 bytes)
ssl_tls.c:3554: 0000: 15 03 03 00 02 …
ssl_tls.c:3560: input record: msgtype = 21, version = [3:3], msglen = 2
ssl_tls.c:2254: => fetch input
ssl_tls.c:2414: in_left: 5, nb_want: 7
ssl_tls.c:2438: in_left: 5, nb_want: 7
ssl_tls.c:2440: ssl->f_recv(_timeout)() returned 2 (-0xfffffffe)
ssl_tls.c:2460: <= fetch input
ssl_tls.c:3739: dumping ‘input record from network’ (7 bytes)
ssl_tls.c:3739: 0000: 15 03 03 00 02 02 28 …(
ssl_tls.c:4101: got an alert message, type: [2:40]
ssl_tls.c:4109: is a fatal alert message (msg 40)
ssl_tls.c:3833: mbedtls_ssl_handle_message_type() returned -30592 (-0x7780)
ssl_cli.c:1488: mbedtls_ssl_read_record() returned -30592 (-0x7780)
ssl_tls.c:6728: <= handshake
failed
! mbedtls_ssl_handshake returned -0x7780

ssl_tls.c:7361: => write close notify
ssl_tls.c:7377: <= write close notify
ssl_tls.c:7519: => free
ssl_tls.c:7584: <= free

What it is wrong?

Thank u in advance.

Hi,
You are getting a fatal alert from the server, after you are sending the client hello message.
This is probably because the server cannot support any of the ciphersuites, or the extensions.

I suggest you first try connecting to your server using the ssl_client2 sample application on your desktop machine, with default configuration, to understand what is the supported and negotiated ciphersuite.
I suggest you read the article Debugging TLS sessions — Mbed TLS documentation for some tips.
regards,
Mbed TLS Team member
Ron

This post may also assisst

This page lists the supported ciphersuites in AWS API gateway.

Hi Ron,
thank u for reply.

MQTT is different by Api gateway.
My ciphersuite (specified in mbtls conf) is compatible with aws (in theory).
I will try with ssl_client2 example on my pc.

Thanks
Andrea

Hi Andrea,
I have tried using ssl_client2 application, and I have received the same failure.
However, after I encountered this post, I saw that server name indication is required.
I have added to the sample application the parameter: server_name=izglhlyv18.execute-api.eu-west-1.amazonaws.com and got passed this failure(I received a failure in certificate verification, but that’s reasonable since I haven’t set the proper trusted root certificate)

1. You should verify that MBEDTLS_SSL_SERVER_NAME_INDICATION is defined (which it is according to your post)
2. You should add a call in your code mbedtls_ssl_set_hostname() with your hostname as parameter(“izglhlyv18.execute-api.eu-west-1.amazonaws.com” in this example)
   Regards,
   Ron

Hi Ron,
IT’S WORK!
Your suggestion is right.
Thank u so much, have a great day.
Bye