TLS Handshake Error on Azure Event Hub

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
mahe_2162211
Level 3
Level 3
First like received First like given

Hi,

can you guys check out if you can connect to the Azure Event Hub over TLS connection? Today all our WICED modules stopped sending data to the hub - very critical issue.

After investigation it seems that the error coming out of ssl_handshake_client_async is 4294966880 = FFFFFE60 = -0x01A0 = TLS_ERROR_X509_CERT_UNKNOWN_SIG_ALG. It seems that Microsoft updated their certifcates today.

Azure Event Hub for test:

     host: seltronhomeweu0000stg.servicebus.windows.net

     post: 443

We are using version 2.4.1. and we have also reproduced this issue on 3.1.2.

Thanks,

Matej

0 Likes
7 Replies
mahe_2162211
Level 3
Level 3
First like received First like given

It seems that Service Bus team renewed the *.servicebus.windows.net certificate which resulted in SHA256 type certificate being issued which is the Microsoft default for compliance reasons. The previous certificate was SHA1 certificate.

Assistance on this issue will be greatly appreciated.

Regards,

Matej

0 Likes
Anonymous
Not applicable

Just a comment on this.  I am experiencing what I think is a similar issue.  I (with WICED 2.4.1) am able to initialize both root ca and client certificates that are signed with the SHA1 algorithm, but none signed with SHA256.

I am wondering if this is a bug or if SHA256 is just not supported and if SHA256 is not supported by besl, are there plans to add support for it now that SHA1 is being deemed as insecure?

Jake

0 Likes
AnSa_1225656
Level 4
Level 4
50 replies posted 25 replies posted 10 replies posted

Any success solving this?

0 Likes

Unfortunately not, very disappointed how Broadcom is addressing customer issues.

0 Likes

Its very strange, I have had good response on some issues from Broadcom, but other items seem to not get any response at all.  Very hit or miss.  The other users have been very helpful.  Unfortunately, this issue is killing us here and I am going to have to search for work arounds.  If you run across anything, let me know.  I'll do likewise.

0 Likes

I wish you very best. We have given up for now regarding this issue. If anything comes up, I will let you know.

0 Likes
Anonymous
Not applicable

Hi, I would like to respond on security related threads.

I am sorry you ran into problems and apologize for slow response.  We can and will do better.

By way of background, we are the OEM supplier of the uSSL SDK included in WICED SDK.

The Broadcom WICED team adapted uSSL into WICED, including modifications adding it to the platform framework. 

They call the shots on what goes into WICED, including new features and bugfixes, and we don't have any direct control over it.

However, at Cypherbridge our mission is to deliver the best possible leading edge solutions for embedded IoT security and

connectivity.  We do offer an option for WICED customers to work with us directly for support and upgrades,

including customized builds. To get the latest and greatest features and direct technical support, please contact us

on our WICED support page, include your company contact information, and we can take it from there.

www.cypherbridge.com/WICED.html

Best Regards,

Steve DeLaney

President

Cypherbridge Systems

0 Likes