From 797e9c8b8406521afa103a1db41a20322d6688ca Mon Sep 17 00:00:00 2001 From: Marty Sweet Date: Thu, 31 May 2018 10:30:53 +0100 Subject: [PATCH 1/4] Add APLN patch for 443 certificate authentication --- AWSIoTPythonSDK/core/protocol/paho/client.py | 27 +++++++++----- README.rst | 5 +++ apln-patch.patch | 38 ++++++++++++++++++++ 3 files changed, 62 insertions(+), 8 deletions(-) create mode 100644 apln-patch.patch diff --git a/AWSIoTPythonSDK/core/protocol/paho/client.py b/AWSIoTPythonSDK/core/protocol/paho/client.py index 9787984..7d8b38b 100755 --- a/AWSIoTPythonSDK/core/protocol/paho/client.py +++ b/AWSIoTPythonSDK/core/protocol/paho/client.py @@ -787,14 +787,25 @@ def reconnect(self): self._ssl = SecuredWebSocketCore(rawSSL, self._host, self._port, self._AWSAccessKeyIDCustomConfig, self._AWSSecretAccessKeyCustomConfig, self._AWSSessionTokenCustomConfig) # Overeride the _ssl socket # self._ssl.enableDebug() else: - self._ssl = ssl.wrap_socket( - sock, - certfile=self._tls_certfile, - keyfile=self._tls_keyfile, - ca_certs=self._tls_ca_certs, - cert_reqs=self._tls_cert_reqs, - ssl_version=self._tls_version, - ciphers=self._tls_ciphers) + if self._port == 8883: + self._ssl = ssl.wrap_socket( + sock, + certfile=self._tls_certfile, + keyfile=self._tls_keyfile, + ca_certs=self._tls_ca_certs, + cert_reqs=self._tls_cert_reqs, + ssl_version=self._tls_version, + ciphers=self._tls_ciphers) + else: + context = ssl.SSLContext(self._tls_version) + context.load_cert_chain(self._tls_certfile, self._tls_keyfile) + context.verify_mode = self._tls_cert_reqs + context.load_verify_locations(self._tls_ca_certs) + context.set_alpn_protocols(["x-amzn-mqtt-ca"]) + + self._ssl = context.wrap_socket(sock, server_hostname=self._host, do_handshake_on_connect=False) + + self._ssl.do_handshake() if self._tls_insecure is False: if sys.version_info[0] < 3 or (sys.version_info[0] == 3 and sys.version_info[1] < 5): # No IP host match before 3.5.x diff --git a/README.rst b/README.rst index 0f6d258..ee85370 100755 --- a/README.rst +++ b/README.rst @@ -1,6 +1,11 @@ AWS IoT Device SDK for Python ============================= +**WARNING** +This fork is patched with support for certificate authentication over port 443, as suggested on +`this Github issue `__. + + The AWS IoT Device SDK for Python allows developers to write Python script to use their devices to access the AWS IoT platform through `MQTT or MQTT over the WebSocket diff --git a/apln-patch.patch b/apln-patch.patch new file mode 100644 index 0000000..c18e43a --- /dev/null +++ b/apln-patch.patch @@ -0,0 +1,38 @@ +--- a/AWSIoTPythonSDK/core/protocol/paho/client.py ++++ b/AWSIoTPythonSDK/core/protocol/paho/client.py +@@ -787,15 +787,26 @@ class Client(object): + self._ssl = SecuredWebSocketCore(rawSSL, self._host, self._port, self._AWSAccessKeyIDCustomConfig, self._AWSSecretAccessKeyCustomConfig, self._AWSSessionTokenCustomConfig) # Overeride the _ssl socket + # self._ssl.enableDebug() + else: +- self._ssl = ssl.wrap_socket( +- sock, +- certfile=self._tls_certfile, +- keyfile=self._tls_keyfile, +- ca_certs=self._tls_ca_certs, +- cert_reqs=self._tls_cert_reqs, +- ssl_version=self._tls_version, +- ciphers=self._tls_ciphers) +- ++ if self._port == 8883: ++ self._ssl = ssl.wrap_socket( ++ sock, ++ certfile=self._tls_certfile, ++ keyfile=self._tls_keyfile, ++ ca_certs=self._tls_ca_certs, ++ cert_reqs=self._tls_cert_reqs, ++ ssl_version=self._tls_version, ++ ciphers=self._tls_ciphers) ++ else: ++ context = ssl.SSLContext(self._tls_version) ++ context.load_cert_chain(self._tls_certfile, self._tls_keyfile) ++ context.verify_mode = self._tls_cert_reqs ++ context.load_verify_locations(self._tls_ca_certs) ++ context.set_alpn_protocols(["x-amzn-mqtt-ca"]) ++ ++ self._ssl = context.wrap_socket(sock, server_hostname=self._host, do_handshake_on_connect=False) ++ ++ self._ssl.do_handshake() ++ + if self._tls_insecure is False: + if sys.version_info[0] < 3 or (sys.version_info[0] == 3 and sys.version_info[1] < 5): # No IP host match before 3.5.x + self._tls_match_hostname() From 2959013ad50973f8a98bdeb86f491199c3c954bd Mon Sep 17 00:00:00 2001 From: Marty Sweet Date: Thu, 31 May 2018 10:41:20 +0100 Subject: [PATCH 2/4] Add usage guidance --- README.rst | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.rst b/README.rst index ee85370..05bb333 100755 --- a/README.rst +++ b/README.rst @@ -1,11 +1,32 @@ AWS IoT Device SDK for Python ============================= + +Fork +---- + **WARNING** + This fork is patched with support for certificate authentication over port 443, as suggested on `this Github issue `__. +Usage: +```python +# Init AWSIoTMQTTClient +myAWSIoTMQTTClient = None +myAWSIoTMQTTClient = AWSIoTMQTTClient(clientId) +myAWSIoTMQTTClient.configureEndpoint(host, 443) +myAWSIoTMQTTClient.configureCredentials(rootCAPath, privateKeyPath, certificatePath) +``` + +Requirements.txt +`git+git://github.com/martysweet/aws-iot-device-sdk-python.git` + +This fork will remain available **until** the offical repository supports the alpn negotiation. + +Doc +--- The AWS IoT Device SDK for Python allows developers to write Python script to use their devices to access the AWS IoT platform through `MQTT or MQTT over the WebSocket From f99213c3278577d90640049993cb2ab8e630e4dd Mon Sep 17 00:00:00 2001 From: Marty Sweet Date: Thu, 31 May 2018 10:44:41 +0100 Subject: [PATCH 3/4] Fix Guidance formatting issues --- README.rst | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/README.rst b/README.rst index 05bb333..cac50c9 100755 --- a/README.rst +++ b/README.rst @@ -11,16 +11,20 @@ This fork is patched with support for certificate authentication over port 443, `this Github issue `__. Usage: -```python -# Init AWSIoTMQTTClient -myAWSIoTMQTTClient = None -myAWSIoTMQTTClient = AWSIoTMQTTClient(clientId) -myAWSIoTMQTTClient.configureEndpoint(host, 443) -myAWSIoTMQTTClient.configureCredentials(rootCAPath, privateKeyPath, certificatePath) -``` + .. code-block:: python + + # Init AWSIoTMQTTClient + myAWSIoTMQTTClient = None + myAWSIoTMQTTClient = AWSIoTMQTTClient(clientId) + myAWSIoTMQTTClient.configureEndpoint(host, 443) + myAWSIoTMQTTClient.configureCredentials(rootCAPath, privateKeyPath, certificatePath) + + Requirements.txt -`git+git://github.com/martysweet/aws-iot-device-sdk-python.git` + .. code-block:: python + + git+git://github.com/martysweet/aws-iot-device-sdk-python.git This fork will remain available **until** the offical repository supports the alpn negotiation. From 9436a31a7f537d5e70a8ac408e9eb8bd80522dda Mon Sep 17 00:00:00 2001 From: Marty Sweet Date: Thu, 31 May 2018 10:48:05 +0100 Subject: [PATCH 4/4] Add Changes link --- README.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.rst b/README.rst index cac50c9..9b11311 100755 --- a/README.rst +++ b/README.rst @@ -10,6 +10,8 @@ Fork This fork is patched with support for certificate authentication over port 443, as suggested on `this Github issue `__. +All changes can be seen using `Comparing changes `__. + Usage: .. code-block:: python