Amazon Web Services IOT MQTT and TLS Certificates and MQTT : Can not connect :(

I am trying to connect HASS to my AWS IoT Account. I have been able to build alexa apps which connect no problem and I can control my Rpi though my alexa and node-red via MQTT. Any help would be great. HASS looks awesome and I would love to use it without having to create a separate MQTT broker to run my web app vs alexa.

I am running the most recent version of everything as of January 17th:
Hass = 0.36

here is a pip3 freeze:
iohttp==1.2.0
async-timeout==1.1.0
AWSIoTPythonSDK==1.1.1
chardet==2.3.0
codebug-i2c-tether==0.2.3
codebug-tether==0.7.0
colorama==0.3.2
Flask==0.10.1
gpiozero==1.3.1
homeassistant==0.36.1
html5lib==0.999
itsdangerous==0.24
Jinja2==2.9.4
MarkupSafe==0.23
mcpi==0.1.1
multidict==2.1.4
numpy==1.8.2
paho-mqtt==1.2
pgzero==1.1
picamera==1.12
picraft==0.6
pifacecommon==4.2.1
pifacedigitalio==3.1.0
pigpio==1.30
Pillow==2.6.1
pygame==1.9.2a0
pygobject==3.14.0
pyinotify==0.9.4
pyOpenSSL==0.13.1
pyserial==2.6
python-apt==0.9.3.12
python-debian==0.1.27
pytz==2016.10
PyYAML==3.12
requests==2.12.4
RPi.GPIO==0.6.3
RTIMULib==7.2.1
sense-emu==1.0
sense-hat==2.2.0
six==1.8.0
smbus==1.1
spidev==3.0
twython==3.1.2
typing==3.5.3.0
urllib3==1.9.1
voluptuous==0.9.3
Werkzeug==0.9.6
yarl==0.8.1

This is my MQTT Setup in my YAML file:

mqtt:
broker: xxxxxxxxxxxxxr.iot.us-east-1.amazonaws.com
port: 8883
client_id: RBP31
certificate: /home/pi/certs/root-CA.crt
client_key: /home/pi/certs/RBP31.private.key
client_cert: /home/pi/certs/RBP31.cert.pem
protocol: 3.1.1

This is the error Log:
17-01-16 22:58:15 homeassistant.components.mqtt: Can’t connect to the broker. Please check your settings and the broker itself
Traceback (most recent call last):
File “/usr/local/lib/python3.4/dist-packages/homeassistant/components/mqtt/init.py”, line 261, in setup
birth_message)
File “/usr/local/lib/python3.4/dist-packages/homeassistant/components/mqtt/init.py”, line 350, in init
self._mqttc.connect(broker, port, keepalive)
File “/home/pi/.homeassistant/deps/paho/mqtt/client.py”, line 686, in connect
return self.reconnect()
File “/home/pi/.homeassistant/deps/paho/mqtt/client.py”, line 821, in reconnect
ciphers=self._tls_ciphers)
File “/usr/lib/python3.4/ssl.py”, line 887, in wrap_socket
ciphers=ciphers)
File “/usr/lib/python3.4/ssl.py”, line 577, in init
self.do_handshake()
File “/usr/lib/python3.4/ssl.py”, line 804, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:600)
17-01-16 22:58:15 homeassistant.bootstrap: component mqtt failed to initialize
17-01-16 22:58:17 homeassistant.components.recorder: Ended unfinished session (id=39 from 2017-01-15 01:11:44.692367)
17-01-16 22:58:17 homeassistant.components.recorder: Found unfinished sessions

I wonder if this is related to the SSL version. In the AWS documentation they say this:

Minimum Requirements

Python 2.7+ or Python 3.3+

OpenSSL version 1.0.1+ (TLS version 1.2) compiled with the Python executable for X.509 certificate-based mutual authentication

To check your version of OpenSSL, use the following command in a Python interpreter:

import ssl
ssl.OPENSSL_VERSION

I am facing the same issue too. I checked the python version and the OpenSSL version. I can connect to through MQTT using a paho client on my pi But I get the error when i try to connect using HASS

I have been playing with this, and dug around the source code for: https://github.com/home-assistant/home-assistant/blob/dev/homeassistant/components/mqtt/init.py

Adding these optional parameters, removed the error from logs. I haven’t really tested yet though.

  tls_version: '1.2'
  tls_insecure: false

Did anyone get this working?

I’m also interested in getting similar working… any luck?