Versions Compared

Old Version 4

changes.mady.by.user Daria Samkova

Saved on

compared with

New Version Current

changes.mady.by.user Daria Samkova

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

TLS-SNI (Server Name Indication) is an extension of the TLS protocol that allows clients to indicate the server hostname they are attempting to connect to during the TLS handshake. This extension TLS-SNI is crucial for servers hosting multiple SSL/TLS-enabled websites web services on the same IP address.

To determine if your IoT device supports TLS-SNI, you can mock a TLS server locally and analyze the TLS handshake between the server and the client.

\uD83D\uDCD8 Instructions

If your IoT device is the local network, you can simply capture client-server communication with a network packet analyzer. If your IoT device is not on the local WiFi network and needs to connect via the internet, you'll need to expose the TLS port to the internet.

...

Ngrok will provide a public URL ( like tcp://0666.tcp.ngrok.io:XXXXX) that forwards to your local machine's port 8883.

Note

Each time ngrok starts it will provide a different URL and port. In this article, we use 0666.tcp.ngrok.io:XXXXX as an example. In your case, the hostname and port will be different.

Use the your Ngrok URL (0666.tcp.ngrok.io:XXXXX) in place of the hostname and port when configuring your IoT device or client.

...

Generate a self-signed server certificate (replace 0666.tcp.ngrok.io with your domain)

Code Block
languagebash
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt -subj "/CN=0666.tcp.ngrok.io"

  • Generates a self-signed server certificate (server.crt) and private key (server.key) valid for 365 days.

  • The -subj "/CN=0666.tcp.ngrok.io" option sets the Common Name (CN) in the certificate to 0666.tcp.ngrok.io. Replace 0666.tcp.ngrok.io with your domain name or IP address.

...

Ensure the server certificate (server.crt) is uploaded to your IoT device and configured for use in the TLS connection test.

Starting SSL server

Start the OpenSSL server with the server certificate

...

  • Starts the OpenSSL TLS server.

  • -port 8883: Specifies the port number (8883) that the server will listen on.

  • -4: Forces the server to use IPv4 only.

  • -unlink: Unlinks the socket file before binding.

  • -cert server.crt: Specifies the server certificate (server.crt) to be used.

  • -key server.key: Specifies the private key (server.key) corresponding to the server certificate.

  • -trace: Enables trace mode, providing detailed debugging output, including information about the TLS handshake.

Testing with IoT device

Uploading the Server Certificate to the IoT Device

Ensure the server certificate (server.crt) is uploaded to your IoT device and configured for use in the TLS connection test.

Test device connection to hostname 0666.tcp.ngrok.io port XXXXX

Testing with MQTT-CLI

...

Code Block
languagebash
mqtt publish --topic Test --message Hello --host 0666.tcp.ngrok.io --port XXXXX --cafile server.crt --debug

Analyzing

...

TLS handshake

Connect your IoT device or client to the local TLS server. Observe the output from the OpenSSL server. Look for the ClientHello packet in the debug output, which indicates if TLS-SNI is being used and the hostname (0666.tcp.ngrok.io in this case) the client is requesting.

...