TLS-SNI (Server Name Indication) is an extension of the TLS protocol that allows clients to indicate the hostname they are attempting to connect to during the TLS handshake. This extension is crucial for servers hosting multiple SSL/TLS-enabled websites on the same IP address.
To determine if your IoT device supports TLS-SNI, you can mock a TLS server locally and analyze the TLS handshake between the server and the client.
\uD83D\uDCD8 Instructions
If your IoT device is not on the local WiFi network and needs to connect via the internet, you'll need to expose the TLS port to the internet.
Exposing TLS Port to the Internet
This example uses ngrok that allows you to expose local servers to the internet securely. You can use any other similar service.
With ngrok you need to register a test account at ngrok.com and install ngrok. Its welcome page contains detailed instructions for different OS.
Exposing local port:
ngrok tcp 8883
Ngrok will provide a public URL (tcp://0.tcp.ngrok.io:XXXXX
) that forwards to your local machine's port 8883.
Each time ngrok starts it will provide a different URL. In this article, we use 0.tcp.ngrok.io:XXXXX
as an example. In your case, the hostname and port will be different.
Use the Ngrok URL (0.tcp.ngrok.io:XXXXX
) in place of the hostname and port when configuring your IoT device or client.
Generating certificate
Generate a self-signed server certificate (replace 0.tcp.ngrok.io
with your domain)
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt -subj "/CN=0.tcp.ngrok.io"
Generates a self-signed server certificate (
server.crt
) and private key (server.key
) valid for 365 days.The
-subj "/CN=0.tcp.ngrok.io"
option sets the Common Name (CN) in the certificate to0.tcp.ngrok.io
. Replace0.tcp.ngrok.io
with your domain name or IP address.
Uploading the Server Certificate to the IoT Device
Ensure the server certificate (server.crt
) is uploaded to your IoT device and configured for use in the TLS connection test.
Starting SSL server
Start the OpenSSL server with the server certificate
openssl s_server -port 8883 -4 -unlink -cert server.crt -key server.key -trace
Starts the OpenSSL TLS server.
-port 8883
: Specifies the port number (8883
) that the server will listen on.-4
: Forces the server to use IPv4 only.-unlink
: Unlinks the socket file before binding.-cert server.crt
: Specifies the server certificate (server.crt
) to be used.-key server.key
: Specifies the private key (server.key
) corresponding to the server certificate.-trace
: Enables trace mode, providing detailed debugging output, including information about the TLS handshake.
Testing with IoT device
Test device connection to hostname 0.tcp.ngrok.io
port XXXXX
Testing with MQTT-CLI
To make sure the connection is working it is possible to test with the MQTT-CLI command line client using server.crt
mqtt publish --topic Test --message Hello --host 0.tcp.ngrok.io --port XXXXX --cafile server.crt --debug
Analyzing SSL handshake
Connect your IoT device or client to the local TLS server. Observe the output from the OpenSSL server. Look for the ClientHello
packet in the debug output, which indicates if TLS-SNI is being used and the hostname (0.tcp.ngrok.io
in this case) the client is requesting.
Example ClientHello:
Received TLS Record Header: Version = TLS 1.2 (0x303) Content Type = Handshake (22) Length = 237 ClientHello, Length=233 client_version=0x303 (TLS 1.2)
Example TLS-SNI extension enabled will have extension_type=server_name
and the server name (in this case 2.tcp.eu.ngrok.io
):
extensions, length = 174 extension_type=server_name(0), length=22 0000 - 00 14 00 00 11 32 2e 74-63 70 2e 65 75 2e 6e .....2.tcp.eu.n 000f - 67 72 6f 6b 2e 69 6f grok.io