Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

TLS-SNI (Server Name Indication) is an extension of the TLS protocol that allows clients to indicate the hostname they are attempting to connect to during the TLS handshake. This extension is crucial for servers hosting multiple SSL/TLS-enabled websites on the same IP address.

To determine if your IoT device supports TLS-SNI, you can mock a TLS server locally and analyze the TLS handshake between the server and the client.

\uD83D\uDCD8 Instructions

If your IoT device is not on the local WiFi network and needs to connect via the internet, you'll need to expose the TLS port to the internet.

Exposing TLS Port to the Internet

This example uses ngrok that allows you to expose local servers to the internet securely. You can use any other similar service.

With ngrok you need to register a test account at ngrok.com and install ngrok. Its welcome page contains detailed instructions for different OS.

Exposing local port:

ngrok tcp 8883

Ngrok will provide a public URL (tcp://0.tcp.ngrok.io:XXXXX) that forwards to your local machine's port 8883.

Each time ngrok starts it will provide a different URL. In this article, we use 0.tcp.ngrok.io:XXXXX as an example. In your case, the hostname and port will be different.

Use the Ngrok URL (0.tcp.ngrok.io:XXXXX) in place of the hostname and port when configuring your IoT device or client.

Generating certificate

Generate a self-signed server certificate (replace 0.tcp.ngrok.io with your domain)

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt -subj "/CN=0.tcp.ngrok.io"
  • Generates a self-signed server certificate (server.crt) and private key (server.key) valid for 365 days.

  • The -subj "/CN=0.tcp.ngrok.io" option sets the Common Name (CN) in the certificate to 0.tcp.ngrok.io. Replace 0.tcp.ngrok.io with your domain name or IP address.

Uploading the Server Certificate to the IoT Device

Ensure the server certificate (server.crt) is uploaded to your IoT device and configured for use in the TLS connection test.

Starting SSL server

Start the OpenSSL server with the server certificate

openssl s_server -port 8883 -4 -unlink -cert server.crt -key server.key -trace
  • Starts the OpenSSL TLS server.

  • -port 8883: Specifies the port number (8883) that the server will listen on.

  • -4: Forces the server to use IPv4 only.

  • -unlink: Unlinks the socket file before binding.

  • -cert server.crt: Specifies the server certificate (server.crt) to be used.

  • -key server.key: Specifies the private key (server.key) corresponding to the server certificate.

  • -trace: Enables trace mode, providing detailed debugging output, including information about the TLS handshake.

Testing with IoT device

Test device connection to hostname 0.tcp.ngrok.io port XXXXX

Testing with MQTT-CLI

To make sure the connection is working it is possible to test with the MQTT-CLI command line client using server.crt

mqtt publish --topic Test --message Hello --host 0.tcp.ngrok.io --port XXXXX --cafile server.crt --debug

Analyzing SSL handshake

Connect your IoT device or client to the local TLS server. Observe the output from the OpenSSL server. Look for the ClientHello packet in the debug output, which indicates if TLS-SNI is being used and the hostname (0.tcp.ngrok.io in this case) the client is requesting.

Example ClientHello:

Received TLS Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = Handshake (22)
  Length = 237
    ClientHello, Length=233
      client_version=0x303 (TLS 1.2)

Example TLS-SNI extension enabled will have extension_type=server_name and the server name (in this case 2.tcp.eu.ngrok.io):

      extensions, length = 174
        extension_type=server_name(0), length=22
          0000 - 00 14 00 00 11 32 2e 74-63 70 2e 65 75 2e 6e   .....2.tcp.eu.n
          000f - 67 72 6f 6b 2e 69 6f                           grok.io

  • No labels