How do I test locally if my IoT device has TLS-SNI?

TLS-SNI (Server Name Indication) is an extension of the TLS protocol that allows clients to indicate the server hostname they are attempting to connect to during the TLS handshake. TLS-SNI is crucial for servers hosting multiple SSL/TLS-enabled web services on the same IP address.

To determine if your IoT device supports TLS-SNI, you can mock a TLS server locally and analyze the TLS handshake between the server and the client.

 Instructions

If your IoT device is the local network, you can simply capture client-server communication with a network packet analyzer. If your IoT device is not on the local WiFi network and needs to connect via the internet, you'll need to expose the TLS port to the internet.

Exposing TLS Port to the Internet

This example uses ngrok that allows you to expose local servers to the internet securely. You can use any other similar service.

With ngrok you need to register a test account at ngrok.com and install ngrok. Its welcome page contains detailed instructions for different OS.

Exposing local port:

ngrok tcp 8883

Ngrok will provide a public URL ( like tcp://666.tcp.ngrok.io:XXXXX) that forwards to your local machine's port 8883.

Each time ngrok starts it will provide a different URL and port. In this article, we use 666.tcp.ngrok.io:XXXXX as an example. In your case, the hostname and port will be different.

Use your Ngrok URL (666.tcp.ngrok.io:XXXXX) in place of the hostname and port when configuring your IoT device or client.

Generating certificate

Generate a self-signed server certificate (replace 666.tcp.ngrok.io with your domain)

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt -subj "/CN=666.tcp.ngrok.io"
  • Generates a self-signed server certificate (server.crt) and private key (server.key) valid for 365 days.

  • The -subj "/CN=666.tcp.ngrok.io" option sets the Common Name (CN) in the certificate to 666.tcp.ngrok.io. Replace 666.tcp.ngrok.io with your domain name or IP address.

Starting SSL server

Start the OpenSSL server with the server certificate

openssl s_server -port 8883 -4 -unlink -cert server.crt -key server.key -trace
  • Starts the OpenSSL TLS server.

  • -port 8883: Specifies the port number (8883) that the server will listen on.

  • -4: Forces the server to use IPv4 only.

  • -unlink: Unlinks the socket file before binding.

  • -cert server.crt: Specifies the server certificate (server.crt) to be used.

  • -key server.key: Specifies the private key (server.key) corresponding to the server certificate.

  • -trace: Enables trace mode, providing detailed debugging output, including information about the TLS handshake.

Testing with IoT device

Uploading the Server Certificate to the IoT Device

Ensure the server certificate (server.crt) is uploaded to your IoT device and configured for use in the TLS connection test.

Test device connection to hostname 666.tcp.ngrok.io port XXXXX

Testing with MQTT-CLI

To make sure the connection is working it is possible to test with the MQTT-CLI command line client using server.crt

Analyzing TLS handshake

Connect your IoT device or client to the local TLS server. Observe the output from the OpenSSL server. Look for the ClientHello packet in the debug output, which indicates if TLS-SNI is being used and the hostname (666.tcp.ngrok.io in this case) the client is requesting.

Example ClientHello:

Example TLS-SNI extension enabled will have extension_type=server_name and the server name (in this case 2.tcp.eu.ngrok.io):

 Related articles