The blog provides details on how this handshake works and lists the following steps to use port 443 for the IoT devices communications:
ALPN enables clients connecting to a TLS server to pass an extra parameter, known as a ProtocolNameList, as part of the ClientHello message during the TLS handshake, Sharfin explained. The ProtocolNameList is a preference ordered list of the application protocols that the client would like to use to communicate. As part of the ServerHello message, the TLS server selects one protocol from this list that will be used to transmit application data over the connection.
Amazon FreeRTOSsource codesupports the ALPN extension.
MapR Big Data Platform Jumps on Amazon EKS (Kubernetes) Bandwagon
Problems arise because 8883 was the registered port for MQTT over TLS under the Internet Assigned Numbers Authority (IANA) mapping of Internet protocols. But 8883 is often blocked by IT departments and designers of consumer routers, according to AWS.
AWS Cloud Native and On-Premise Application Data Protection
New AWS Lambda Monitoring Tool Leverages Artificial Intelligence
If you are manufacturing IoT devices that will ultimately be used in IT environments that you do not control, this can cause serious headaches, Sharfin explained. For example, if you manufacture medical devices that are sold to hospitals around the country, you do not want to have to negotiate separately with each hospitals IT department to open port 8883 in their firewall so that your devices can connect to your IoT application running on AWS IoT Core. It just so happens that there is a standard extension to the TLS protocol that can help with precisely this issue.
Amazon Web Services Inc. (AWS) this week announced easier Internet of Things (IoT) device connection enabled by new TLS client authentication functionality.
Jared Sharfin explained the technical details in a post,MQTT with TLS client authentication on port 443: Why it is useful and how it workson The Internet of Things on AWS Official Blog.
It could be the difference between having your IoT device utilizing AWS IoT Core actively transmitting data, or being locked out in the Internet cold.
The blog points out that the solution comes through Application Layer Protocol Negotiation (ALPN), an extension to TLS supported by many of the most common TLS implementations. This can be used to solve this problem of port 8883 roadblocks.
Getting Started With Containers and Microservices
Five Questions You Need to Ask About End-User Monitoring
Connect to AWS IoT Core on port 443.
Consult the manual to be certain, butthis Wikipedia pageprovides a handy list.
TCP connections are typically associated with a combination of IP address and port number. This immediately raises the question of which port number to use to ensure that your application can communicate with other third party applications, according to the blog.
That capability provides (IoT) device-makers utilizing AWS IoT Core, Amazons managed platform for IoT, with a new option for avoiding communications blockages caused by corporate firewalls or home routers.
Configure the ALPN extension on your device with the x-amzn-mqtt-ca protocol*.
Beginning today, you have more options to securely connect your devices to AWS IoT Core, according to a Feb. 7 Amazonannouncement. You can use MQTT (Message Queuing Telemetry Transport) with certificate based client authentication on port 443. Previously this combination of protocol and authentication mechanism was only supported on port 8883.
New AWS Lambda Monitoring Tool Leverages Artificial Intelligence
MapR Big Data Platform Jumps on Amazon EKS (Kubernetes) Bandwagon
Private Storage as a Service for Public Clouds
Problems? Questions? Feedback? E-mail us.
AWS Releases EC2 Bare-Metal Instances
AWS Releases Its DeepLens AI Camera to U.S. Devs
Register your device with AWS IoT Core bycreating, activating, and downloading a certificateorbring your own certificate.
Ensure your devices TLS client implementation supports the ALPN extension.
Streamline Backup & DR for Your Virtual Environments with AWS
Port 8883? Port 443? Whats the big deal?
Corporate firewalls and home routers often block inbound and outbound traffic on all ports except port 443 by default, which is the standard port for HTTPS (that is, Internet) traffic, the AWS announcement explained. This is done as a security measure to limit the attack surface for possible cyber attacks. With this update, we enable you to deploy your IoT devices with minimal network and firewall changes, while still using certificate based authentication. This is especially beneficial for those who need to deploy devices into environments where they do not control the IT infrastructure.
NetApp Private Storage (NPS) for Cloud
AWS Releases Its DeepLens AI Camera to U.S. Devs
MIT Technology Review: How to Unlock the Power of IoT with Real-Time Monitoring
Amazon EKS for Cloud Kubernetes Workloads Hits General Availability