Description
Describe the feature
Original bug opened on aws-iot-device-sdk-python-v2:
Describe the bug
If you enable AWS IoT security policy TLS13_1_3_2022_10 which requires one of the following cipher suites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
Then running the basic_connect fails with with: awscrt.exceptions.AwsCrtError: AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE: TLS (SSL) negotiation failed.
After doing a packet capture, I noticed the above cipher suites were missing from the Client Hello.
The issue only affects V2 of this SDK. I dont have issues with V1, curl, or any other mqtt library. I was able to replicate this on Windows, Mac, and an Amazon Linux 3 image. If I downgrade to TLS13_1_2_2022_10, it works.
Expected Behavior
Sample basic_connect.py to connect
Current Behavior
Does not connect, TLS (SSL) negotiation failed
Reproduction Steps
- AWS IoT > Connect > Domain configurations
- Select the data-ats endpoint
- Under security policy select TLS13_1_3_2022_10.
- Save
- Install aws python sdk v2: python3 -m pip install awsiotsdk
- Download latest python sdk package with samples: git clone https://github.com/aws/aws-iot-device-sdk-python-v2.git
- Add Iot certs to known location on client
- Run
python3 ./aws-iot-device-sdk-python-v2/samples/basic_connect.py
--endpoint [endpoint]
--cert [path to client cert]
--key [path to client key]
--ca_file AmazonRootCA1.pemSDK version used
1.22.0
Environment details (OS name and version, etc.)
Mac Sequoai 15.1.1
Use Case
Use TSL 1.3 on Mac with the aws-iot-device-sdk-python-v2
Proposed Solution
No response
Other Information
No response
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change