WARNINGS in devisor advisor test suite in aws iot core #779
Comments
rathnamachary
added
bug
|
The SDK offers very limited control over cipher suite selection: https://github.com/awslabs/aws-crt-cpp/blob/main/include/aws/crt/io/TlsOptions.h#L181-L185 The enum used is defined here: https://github.com/awslabs/aws-c-io/blob/main/include/aws/io/tls_channel_handler.h#L29-L50 Ultimately you're limited to the default cipher suite set, or special sets that prioritize post-quantum-resistant algorithms. Assuming you're using the default and on Linux, it is mapped to the name of an s2n cipher suite set based on the minimum tls version property here: https://github.com/awslabs/aws-c-io/blob/main/source/s2n/s2n_tls_channel_handler.c#L1513-L1532 And those names are mapping to the actual cipher suite set here: Assuming what you're seeing is an unsupported cipher suite warning from https://docs.aws.amazon.com/iot/latest/developerguide/device-advisor-tests-tls.html#cipher-suites You cannot infer anything about the security of a cipher suite based on the fact that IoT Core does not support it. If you see an instance where a known-insecure cipher suite is being offered (relative to the tls level), then I would create an issue on s2n to have them investigate or provide guidance. |
bretambrose
added
closing-soon
github-actions
bot
added
closed-for-staleness
and removed
closing-soon
|
I have tried below as well but still getting warnings, changed from to Pls help how do we fix it? Note: ubuntu@HYD1WTL066:~$ openssl s_client -connect a1lw1yfo1w9gkm-ats.iot.eu-north-1.amazonaws.com:443 -servername a1lw1yfo1w9gkm-ats.iot.eu-north-1.amazonaws.com | grep "Cipher" depth=2 C = US, O = Amazon, CN = Amazon Root CA 1 |
|
If your endpoint has been configured with the TLS1.3 only policy (https://docs.aws.amazon.com/iot/latest/developerguide/transport-security.html#tls-policy-table) then setting the minimum tls level on the client to 1.3 should make the warning go away, as the cipher suite set in s2n will be an exact match for the three supported by IoT Core. Beyond that, everything I said previously still stands. No evidence has been presented that there is anything to "fix". It would be nice if device advisor only issued warnings on known-insecure suites and not "I don't support that", avoiding issues like this one. |
|
thank you for support. |
|
as you mentioned, but no luck. |
Describe the bug
Iam able to run device advisor test suite with pub-sub test case and its passing with warnings.
regarding for the FOUND_UNSUPPORTED_CIPHER_SUITE warning:
How do we change the cipher suites and where do we change?
please provide the required steps to resolve the warning.
I tried below steps in ubuntu,
/etc/apache2/sites-enabled/000-default.conf and
/etc/apache2/mods-available/ssl.conf,
i have added:
SSLProtocol -all +TLSv1.3
and,
2)in the file,
/etc/ssl/openssl.cnf,
i have added:
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.3
#CipherString = DEFAULT:@SECLEVEL=2
CipherString = ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
Ciphersuites = TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
but no luck.
Is it correct or anything missing?
Expected Behavior
should pass without warning
Current Behavior
passing with warnings
Reproduction Steps
run pub sub test case for device advisor test suite.
Possible Solution
No response
Additional Information/Context
No response
SDK version used
v2
Environment details (OS name and version, etc.)
ubuntu
The text was updated successfully, but these errors were encountered: