| Re: [paho-dev] Question AWS IoT TLS V1.2 |
|
Hi Reiko,
You are correct, SSLv3 is not the same as TLSv1.2. I can speak to why we chose this particular parameter and then maybe someone more intimate with the Paho Python client can add to this or provide correction if necessary.
The AWS IoT service only supports TLSv1.2 for mutual-auth MQTT connections. In the case of deciding the TLS version between the client and the server, the SSL/TLS protocols allow the client to suggest a desired protocol but in the end the server decides
the version. In short, a client can ask for a lesser version but the service will negotiate to only allow TLSv1.2.
So why the SSLv23 parameter? TLSv1.2 is not included as an option in Python 2.7.3 and earlier. This would mean that setting the ssl_version parameter to TLSv1.2 in our runtime would prevent this code from running in those versions of Python. However,
if we choose to use the SSLv23 parameter (and also upgrade the OpenSSL version during our setup script) we allow the code to run on Python 2.7.3 and still establish (through negotiation) a TLSv1.2 connection. Any comments on this strategy are more than welcome.
As for the second part of your request, I'm not 100% sure of the question being asked. From the Arduino perspective we chose to support the Yún because it was the best choice to support both the Arduino programming environment and an ability to establish
a TLS connection. We'd be happy to discuss other Arduino devices or SDKs which would support these two goals. For non-Arduino devices we also have an embedded C SDK and a _javascript_ (Node.JS) SDK.
FYI – I want to respect this list when talking about specific companies and services. If you have questions which are specific to the AWS IoT service it may be best to bring them to the AWS forum (https://forums.aws.amazon.com/forum.jspa?forumID=210).
Best regards,
John
From: <paho-dev-bounces@xxxxxxxxxxx> on behalf of Reiko Nötzold <reiko.noetzold@xxxxxxxxx>
Reply-To: 'General development discussions for paho project' <paho-dev@xxxxxxxxxxx> Date: Monday, November 30, 2015 at 12:52 PM To: 'General development discussions for paho project' <paho-dev@xxxxxxxxxxx> Subject: Re: [paho-dev] Question AWS IoT TLS V1.2 Hello John, i found the error in my paho script i try with “client.tls_set(awsCert, deviceCertificate, devicePrivateKey, ssl.CERT_REQUIRED, ssl.PROTOCOL_TLSv1_2)” only Python >2.7.8 but your implementation is “client.tls_set(awsCert, deviceCertificate, devicePrivateKey, ssl.CERT_REQUIRED, ssl.PROTOCOL_SSLv23)” for Python 2.7.3 I do not understand very well the security implementation. SSLv2 or SSLv3 is not the same as TLSv1.2 TLSv1.2 is not yet condition for AWS Iot? And a other question and remark. Some time ago i tested the Arduino C++ Paho Implementation. Its running good but after seven days or two, (was very different) the Arduino stopped to send MQTT Messages. Then I had a discussion with Ian Craggs. Ian saw its a memory overflow. Many strings the change for the MQTT Messages in a small Embedded Device and Memory is not the solution for a long time. Whats the reason thats amazon build of the complete Paho C++ Implementation than communitcation to serial? There are already test for a long time with this implementation? Best Regards Reiko Von:
paho-dev-bounces@xxxxxxxxxxx [mailto:paho-dev-bounces@xxxxxxxxxxx]
Im Auftrag von Rotach, John Hello Reiko, Glad to hear you're trying out AWS IoT with the Yún. I encourage you to check out the AWS supported Yún SDK here: It is the goal of this SDK to allow developers to target AWS IoT using the Arduino IDE and do minimal setup on the AR9331 processor / OpenWRT OS. To accomplish this the SDK creates a python process
on the linux processor which uses the Paho python MQTT client and communicates with the user's Arduino sketch using the serial bridge. Documentation in the repo above gives a good description of this architecture. One of the packages installed by the setup
script is python-openssl which enables the TLS connection to the service. This SDK also includes the source for the python runtime so you could take a look at that if you'd like to connect using your own python program on the AR9331. Best regards, John SDE, AWS IoT From: <paho-dev-bounces@xxxxxxxxxxx> on behalf of Reiko Nötzold <reiko.noetzold@xxxxxxxxx> a questions to amazon AWS IoT Paho Implementation. AWS IoT needs TLS V1.2. But what is the difference to Arduino YUN Implementation in C++ and the other way in Python? At YUN runs only Python 2.7.3 without TLS V1.2 support. :-( With Python 3.5 and "import paho.mqtt.client as mqtt" i can connect and subscribed AWS IoT. Whats the trick and other side of “AWS IoT Arduino YUN Paho C++ Implementation” that could connect with TLS V1.2? Reiko |