AWS IoT Just-in-Time Registration of Certificate in Android

0 votes

So, I'm attempting to integrate the JITR using this article.

So, I've been able to get through to authenticate the certificate using the command-line 'mosquitto_pub'.

When I try to run 'mosquitto_pub' command, it calls the lambda function to authorize it & attaches the policy. It, then, publishes the message to IoT successfully.

This is the command I've used.

mosquitto_pub --cafile ../root.cert --cert hassanAndCACert.crt --key hassan.key -h <###>.iot.us-east-1.amazonaws.com
-p 8883 -q 1 -t  topic5 -i  123456789 --tls-version tlsv1.2 -m '{"hello":"3"}' -d

But when I try to authenticate this in android SDK I am getting 'handshake' fail error, like so.

MqttException (0) - javax.net.ssl.SSLHandshakeException: Handshake failedat org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:664)at java.lang.Thread.run(Thread.java:818)Caused by: javax.net.ssl.SSLHandshakeException: Handshake failedat com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:441)at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:93)at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:650) ... 1 moreCaused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0xb91e9b40: Failure in SSL library, usually a protocol errorerror:100c5416:SSL routines:ssl3_read_bytes:SSLV3_ALERT_CERTIFICATE_UNKNOWN (external/boringssl/src/ssl/s3_pkt.c:972 0xb9215530:0x00000001)at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:353)

I've noticed, however, if the device-certificate is already active when we try to publish message through Android, it gets published without errors. The only problem is to authenticate the certificate at first call.

The only difference that I see between mosquitto call and the android-code is that PAHO-MQTT in AWS SDK needs to connect first before publishing, while the mosquitto is making a single command to connect and publish the message.

Dec 26, 2018 in IoT (Internet of Things) by Shubham
 • 13,490 points 1,540 views

1 answer to this question.

0 votes

So, the SSL/TLS Handshake can fail due to a bunch of different reasons, like so.

  • Not sharing same cipher suites
  • Not sharing SSL versions
  • Certificate validation
  • Intent to change TLS version
  • Others issues

The approach I would suggest for you to figure out the problem is to install Wireshark and see the handshake messages. 

After which you can have more information on the SSL handshake failure based on the SSL alert message sent from server to client, and more importantly, where specifically it happened.

You could try the following:

  •  Received fatal alert: handshake_failure through SSLHandshakeException
  • Try to upgrade the key-store for your Android App
answered Dec 26, 2018 by Upasana
 • 8,620 points

Related Questions In IoT (Internet of Things)

0 votes
0 answers

Understanding IoT Rules of DynamoDB and Lambda in AWS

I am currently going through the "Quick ...READ MORE

Sep 27, 2018 in IoT (Internet of Things) by Matt
 • 2,270 points 1,069 views
0 votes
1 answer

Display time in a Windows Core IoT app with a clock!

It is possible, but you should understand ...READ MORE

answered Jul 10, 2018 in IoT (Internet of Things) by nirvana
 • 3,130 points 1,554 views
0 votes
1 answer

AWS IoT login from android MQTT client using IAM is not working

Seeing your comments and questions. I had ...READ MORE

answered Jul 24, 2018 in IoT (Internet of Things) by anonymous2
 • 4,240 points 2,347 views
0 votes
1 answer

AWS IoT - Access shadow through .Net, REST, with certificate

If you want to publish and/or subscribe ...READ MORE

answered Jul 25, 2018 in IoT (Internet of Things) by anonymous2
 • 4,240 points 2,029 views
0 votes
1 answer

MQTT pubish is slow to send with ESP8266 & NodeMCU

I think you're almost correct and on ...READ MORE

answered Aug 1, 2018 in IoT (Internet of Things) by nirvana
 • 3,130 points 3,266 views
0 votes
1 answer

Where is published message stored by mosquitto broker if offline?

Well, of course, they are stored! That ...READ MORE

answered Aug 10, 2018 in IoT (Internet of Things) by nirvana
 • 3,130 points 3,790 views
0 votes
1 answer

Need to enclose MQTTCLient Instance in try catch block

The instance doesn't need to be surrounded by try/catch, but ...READ MORE

answered Aug 21, 2018 in IoT (Internet of Things) by anonymous2
 • 4,240 points 1,249 views
0 votes
1 answer

How do I compare MQTT and TCP packets ?

It depends on the higher-level protocols (above ...READ MORE

answered Aug 27, 2018 in IoT (Internet of Things) by anonymous2
 • 4,240 points 1,248 views
0 votes
1 answer

Possibility of on-premise installation Microsoft “Azure IoT Suite” in VPN

I think Microsoft already has a windows server 2016 allowing ...READ MORE

answered Jan 23, 2019 in IoT (Internet of Things) by Upasana
 • 8,620 points 889 views
0 votes
1 answer

What is the time taken by a 200 byte message for transmission in a beacon-enabled network?

Now, data rates of IEEE 802.15.4 are ...READ MORE

answered Aug 24, 2018 in IoT (Internet of Things) by Upasana
 • 8,620 points 888 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.