[yocto] openssl/Certificate problems when running simple MS IoT Hub sample C application

Jakob Hasse jakob.hasse at smart-home-technology.ch
Mon Jun 26 12:07:24 PDT 2017 

Hello Khem,

thanks for the answer. I'm pretty sure now that it is an ssl problem 
(see below).

On 26.06.2017 16:28, Khem Raj wrote:
> On Sun, Jun 25, 2017 at 11:35 PM, Jakob Hasse
> <jakob.hasse at smart-home-technology.ch> wrote:
>> Hello,
>>
>> I'm trying to  run the Mircosoft Azure IoT hub mqtt example
>> (iothub_client_sample_amqp or simliar) of the C SDK on yocto
>> (https://github.com/Azure/azure-iot-sdk-c).
>> On my Ubuntu host machine, everything compiles and works fine, the
>> application connects to the azure server and sends messages.
>> In Yocto, I get errors after compiling the whole SDK with all examples, but
>> the mqtt example is already there, so I assume it's correct. Furthermore, I
>> could compile it using Intel's meta-iot-cloud layer and only taking the
>> example application itself into my own layer.
> I would suggest to fix all compile errors. If you need support please share
> your compile errors here, there might be interesting for people here.
As I said, the application also compiled with the meta-iot-cloud layer 
without errors. Anyway, here are the errors when compiling with the SDK:

[ 67%] Building C object 
iothub_client/samples/iothub_client_sample_mqtt_dm/CMakeFiles/iothub_client_sample_mqtt_dm.dir/iothub_client_sample_mqtt_dm.c.o
cc1: error: include location "/usr/include/azureiot" is unsafe for 
cross-compilation [-Werror=poison-system-directories]
[ 68%] Building C object uamqp/CMakeFiles/uamqp.dir/src/session.c.o
[ 69%] Building C object 
iothub_client/samples/iothub_client_sample_mqtt_dm/CMakeFiles/iothub_client_sample_mqtt_dm.dir/pi_device/pi.c.o
cc1: error: include location "/usr/include/azureiot" is unsafe for 
cross-compilation [-Werror=poison-system-directories]
cc1: all warnings being treated as errors
iothub_client/samples/iothub_client_sample_mqtt_dm/CMakeFiles/iothub_client_sample_mqtt_dm.dir/build.make:86: 
recipe for target 
'iothub_client/samples/iothub_client_sample_mqtt_dm/CMakeFiles/iothub_client_sample_mqtt_dm.dir/pi_device/pi.c.o' 
failed
make[2]: *** 
[iothub_client/samples/iothub_client_sample_mqtt_dm/CMakeFiles/iothub_client_sample_mqtt_dm.dir/pi_device/pi.c.o] 
Error 1
make[2]: *** Waiting for unfinished jobs....
Scanning dependencies of target simplesample_http
[ 70%] Building C object 
serializer/samples/simplesample_http/CMakeFiles/simplesample_http.dir/simplesample_http.c.o
cc1: all warnings being treated as errors
iothub_client/samples/iothub_client_sample_mqtt_dm/CMakeFiles/iothub_client_sample_mqtt_dm.dir/build.make:62: 
recipe for target 
'iothub_client/samples/iothub_client_sample_mqtt_dm/CMakeFiles/iothub_client_sample_mqtt_dm.dir/iothub_client_sample_mqtt_dm.c.o' 
failed
make[2]: *** 
[iothub_client/samples/iothub_client_sample_mqtt_dm/CMakeFiles/iothub_client_sample_mqtt_dm.dir/iothub_client_sample_mqtt_dm.c.o] 
Error 1
CMakeFiles/Makefile2:2288: recipe for target 
'iothub_client/samples/iothub_client_sample_mqtt_dm/CMakeFiles/iothub_client_sample_mqtt_dm.dir/all' 
failed
make[1]: *** 
[iothub_client/samples/iothub_client_sample_mqtt_dm/CMakeFiles/iothub_client_sample_mqtt_dm.dir/all] 
Error 2
make[1]: *** Waiting for unfinished jobs....
[ 70%] Building C object 
serializer/samples/simplesample_http/CMakeFiles/simplesample_http.dir/linux/main.c.o
[ 70%] Building C object 
uamqp/CMakeFiles/uamqp.dir/src/socket_listener_berkeley.c.o
[ 71%] Linking C static library libuamqp.a
[ 71%] Built target uamqp
[ 72%] Linking C executable simplesample_http
[ 72%] Built target simplesample_http
Makefile:94: recipe for target 'all' failed
make: *** [all] Error 2
>
>> Now the actual problem:
>> When I run the application on the Yocto system, it establishes a tcp
>> connection to the azure server, but then "stops working", until the azure
>> server sends the tcp fin ack, which the the application acknowlegdes. On TCP
>> dump I can see that packets were dropped by the kernel.
>> The tcp problem seems to occur while the azure server is transmitting the
>> certificate, if I interpret the tcpdump output correctly. But might be just
>> coincidence. I checked the openssl libs requested by the application and
>> they are the same on the Ubuntu host and on the Yocto embedded system.
>>
>> The network is also the same as on the host machine.
>>
>> I would be very happy for ideas about what went wrong here.
> Whats the kernel version on working and non working systems. ?
Ubuntu host: 4.4.0-81-generic
Yocto: 4.1.38-dey+gce24590

The dropped packages in tcpdump are a tcpdump problem, as I found out... 
so nothing to do with the actual problem.

The connection is closed very early by the server, as I saw some 
certificate-related strings, it seems to finish right after the 
application received the openssl certs.
I can reproduce the behavior on the host machine by renaming the 
/etc/ssl/certs/ folder, so I'm pretty sure that it's an openssl problem 
(or finding the certs).

When I try to connect with
openssl s_client -showcerts -connect 13.95.15.251:8883
I get the error: Verify return code: 20 (unable to get local issuer 
certificate).
When I try to connect with
openssl s_client -showcerts -connect 13.95.15.251:8883 -CAfile 
/usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt
in turn, everything is fine: Verify return code: 0 (ok).

I added the certificate delievered in the azure-iot-c-sdk by Microsoft, 
which is in fact the same as Baltimore_CyberTrust_Root.crt.
I have the certificate in following locations:
/etc/ssl/certs/
/usr/share/ca-certificates/
/usr/local/share/ca-certificates/
/usr/lib/ssl/certs // *see below
and ran update-ca-certificates after each add and rebooted. Nothing 
changed, the application still doesn't connect properly.

Is there maybe another path that I have missed?

* this directory came out when I put this code into the application:

|const char *dir; dir = getenv(X509_get_default_cert_dir_env()); if 
(!dir) dir = X509_get_default_cert_dir(); puts(dir);|


Best Regards,
Jakob

-- 
Jakob Hasse
Software Developement

E: jakob.hasse at smart-home-technology.ch
T: +41 44 552 02 66

Smart Home Technology GmbH
www.smart-home-technology.ch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20170626/3c8bfda9/attachment.html>

More information about the yocto mailing list