AWS IoT Core Enables Device Connection Amazon Web Services Inc. (AWS), announced this week an easier Internet of Things (IoT), device connection that is enabled by new TLS client authentication functionality. This capability gives (IoT device-makers who use AWS IoT Core Amazon’s managed platform, an easier way to avoid communications blockages caused either by corporate firewalls, home routers, or corporate firewalls. According to an Amazon announcement on February 7, you now have more options to connect your devices securely to AWS IoT Core. MQTT (Message Queuing Telemetry Transport), which supports certificate-based client authentication, is now available on port 443. This combination of protocol/auth mechanism was previously only available on port 8883. Port 8883 Port 443? What’s the deal? It could mean the difference between your IoT device using AWS IoT Core actively transmitting information and being locked out in Internet cold. According to AWS, corporate firewalls and home routers block all inbound and outbound traffic except port 443 by default. This port is the standard port for HTTPS traffic (that is, Internet traffic). This is done to reduce the potential attack surface for cyber attacks. This update allows you to deploy IoT devices without any network or firewall changes and still use certificate-based authentication. This is particularly useful for those who need devices to be deployed in environments that do not have IT infrastructure control. Jared Sharfin explains the technical details in a post called MQTT with TLS Client authentication on port 443. This is Jared Sharfin’s official blog. “TCP connections are usually associated with a combination IP address and port number. According to the blog, this raises the issue of which port number you should use to ensure your application can communicate with third-party applications. Problems arise because 8883 was registered port for MQTT Over TLS under the Internet Assigned Numbers Authority’s (IANA) mapping Internet protocols. AWS reports that 8883 is often blocked in IT departments and by designers of consumer routers. Sharfin explained that IoT devices manufactured in environments you don’t control can lead to serious headaches. For example, if your medical devices are sold to hospitals across the country, you don’t want to have to contact each hospital’s IT department individually to open port 883 in their firewall so your devices can connect with your IoT application running on AWS IoT Core. This issue can be solved by a standard extension of the TLS protocol. The blog explains that the solution is through “Application Layer Protocol Negotiation” (ALPN), which is an extension to TLS that is supported by many of most popular TLS implementations. This can be used for solving the problem of port 8883 roadblocks. Sharfin explained that ALPN allows clients to connect to a TLS server to send an additional parameter, known as a ProtocolNameList as part of the ClientHello message during a TLS handshake. “The ProtocolNameList is a preference-ordered list of application protocols that the client wishes to use to communicate. The ServerHello message allows the TLS server to select one protocol from the list to be used for transmitting application data over the connection. This blog explains how this handshake works. It also lists the steps required to use port 443.
Make sure your device’s TLS client implementation supports ALPN extension.
Register your device with AWS IoT Core and create, activati
To be certain, consult the manual. However, this Wikipedia page provides a handy guide.
Amazon FreeRTOS source code supports ALPN extension