Share via

Error on setting up handshake with Azure IoT hub from physical HSM device.

Studio Team @virifi 0 Reputation points
2025-03-29T09:05:55.06+00:00

Getting The error 43000070:PKCS#11 module::Mechanism invalid indicates a cryptographic mechanism mismatch between Azure IoT C SDK and your Swissbit HSM.

After checking more getting got to know The Azure IoT C SDK uses OpenSSL's TLS implementation, which is attempting a handshake with a cryptographic mechanism (e.g., specific key exchange algorithm or signature scheme) unsupported by your HSM's PKCS#11 module. This often occurs when:
The HSM's PKCS#11 driver lacks support for the TLS cipher suites required by Azure IoT Hub.

The X.509 certificate uses an unsupported key type (e.g., RSA vs. ECC).

  1. The PKCS#11 library configuration is missing required mechanisms.

we have checked by mechanisms supported by swissbit then cross verify with azure cipher suites

The ECDSA suites will work if TLS1.2 and only selected region of azure is added in IoTHub and sadly our current settings has TLS1.2 but the region does support this mechanisms. Only left with TLS1.0 with the cipher suites supported by azure those are TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA. We then added these in azure sdk to use only above ciphers but found that these ciphers are also not supported and requires TLS1.2.

Below is the error in more detail:
Creating IoTHub handle Sending message 1 to IoTHub Enter PKCS#11 token PIN for JavaCard isoApplet (User PIN): Sending message 2 to IoTHub Sending message 3 to IoTHub Sending message 4 to IoTHub Sending message 5 to IoTHub Error: Time:Wed Mar 26 21:34:23 2025 File:/home/virifi-studio/azure-iot-sdk-c/c-utility/adapters/tlsio_openssl.c Func:send_handshake_bytes Line:734 error:43000070:PKCS#11 module::Mechanism invalid Error: Time:Wed Mar 26 21:34:23 2025 File:/home/virifi-studio/azure-iot-sdk-c/umqtt/src/mqtt_client.c Func:onOpenComplete Line:452 Error: failure opening connection to endpoint.

Kindly provide insights on resolving it.

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,258 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. VSawhney 320 Reputation points Microsoft External Staff
    2025-03-31T09:42:11.0266667+00:00

    Hello Studio Team @virifi,

    It seems you have found out the issue. Please use TLS version 1.2 and supported regions only.
    Currently, TLS 1.2 enforcement is supported only in select regions:

    • East US
    • South Central US
    • West US 2
    • US Gov Arizona
    • US Gov Virginia (Note: TLS 1.0/1.1 support isn't available in this region. TLS 1.2 enforcement must be enabled, or IoT Hub creation will fail).

    Please refer the document: https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-tls-support

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Thank you!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.