AWS IoT + WSS connection attempt results in "Bad handshake" after upgrade from 1.2.0 to 1.3.1

[Brbb]

Hi,

I'm trying to connect AWS IoT through a wss URL created via v4.NewSigner which will result in something like `wss:///X-Amz-Token

wss://<URL>/mqtt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=<credentials>&X-Amz-Date=20210125T115032Z&X-Amz-Expires=0&X-Amz-SignedHeaders=host&X-Amz-Signature=<signature>&X-Amz-Security-Token=<token>

This worked well all the way to v1.2.0 but then it stopped working with a simple "bad handshake". I've read there might be some issue for the buffered/unbuffered related changes but I'm not sure is related to my issue.

The code I have is super simple:

func NewClientWithConfig(awsSession *session.Session, logger *logger.Logger, clientOpts *pahoMqtt.ClientOptions) (*Client, error) {
	clientOpts.SetClientID(fmt.Sprintf("notifier-%v", time.Now().UnixNano())).
		SetMaxReconnectInterval(1 * time.Second).
		SetAutoReconnect(true).
		SetDefaultPublishHandler(func(client pahoMqtt.Client, msg pahoMqtt.Message) {
			logger.Println(msg)
		}).
		SetConnectionLostHandler(func(client pahoMqtt.Client, reason error) {
			logger.Fatalln("connection lost:", reason.Error())
		})

	wssURL, err := aws.SignedURL(awsSession)
	if err != nil {
		return nil, fmt.Errorf("error generating signed URL: %s", err.Error())
	}
	clientOpts.AddBroker(wssURL)
	clientOpts.SetOnConnectHandler(func(pahoMqtt.Client) {
                // printed up to 1.2.0, then never reached from 1.3.0
		logger.Println("connected")
	})

	return &Client{
		logger: logger,
		client: pahoMqtt.NewClient(clientOpts),
	}, nil
}

I start it like this and it never arrives to the for topic part

// Start establishes the connection with the MQTT broker and subscribe to all the configured topics
func (c *Client) Start() error {
	if token := c.client.Connect(); token.Wait() && token.Error() != nil {
		return token.Error()
	}
	for topic, th := range c.topicHandlers {
		if token := c.client.Subscribe(topic, th.Qos, th.Handler); token.Wait() && token.Error() != nil {
			return token.Error()
		}
	}

	return nil
}

I'm now wondering if the Signed URL is creating issues for some reasons (everything is up and reachable, I can pub/sub to topics in my previous version of the code).

Edit:
I tried with an online test websocket at ws://broker.emqx.io:8083/mqtt and I can connect. I start thinking the wss presigned URL might have some issues with the updated library.

[MattBrittan]

I suspect this is a duplicate of #469. Can you please take a quick look and let me know if you agree. If so I will proceed with the fix I suggested on that issue (had been waiting on comments).

[Brbb]

I suspect this is a duplicate of #469. Can you please take a quick look and let me know if you agree. If so I will proceed with the fix I suggested on that issue (had been waiting on comments).

Hi Matt, it seems a duplicate I agree (sorry, the search didn't help). I also see rolling back might make the ipv6 unusable. Not sure if a flag or separate function or input sanitizer can help keeping both features.

Thanks for checking!

[MattBrittan]

I also see rolling back might make the ipv6 unusable. Not sure if a flag or separate function or input sanitizer can help keeping both features.

I don't think so - IPv6 will work fine without the change (it's just up to the user to pass in an IPv6 address that complies with the RFC). I have added a comment to the pull request (#319 ) so that it's author is aware of the issue. If I don't hear anything in a couple of days I will reverse the change because it has the potential to impact quite a few users (whereas I suspect that the number of users needing IPv6 with zone indication is quite low and there is an easy work around).

[Brbb]

Nice, thanks!

[MattBrittan]

Please try @master and let me know if this resolves the issues.

[Brbb]

It works! Nice.
Is there any plan to release this soon? It would be very helpful.

[MattBrittan]

Will wait a week or so (just in case any issues come up) then make a release. I'm aiming to make small, frequent releases to avoid a repeat of the 18 month delay between 1.2 and 1.3.

[austin-millan]

Downgrading to v1.2.0 from v1.3.1 seems to resolve a TLS handshake issue I was facing with secure websockets.

[MattBrittan]

@austin-millan please provide more information (ideally on a new issue) if you want this looked into. At this point this particular issue is fixed (in @master), as per the comment from @Brbb above, and will be closed once a new release is out (which I am just about to do).

[MattBrittan]

I have released v1.3.2 which includes this fix. Will close this issue as you already stated that the fix works (please feel free to re-open if any issues arise).