MQTT TLS over port 443 to Amazon server
I have a flexy 205 sending MQTT messages to Amazon IOT core over port 8883. This is working very good.
The ewon flexy in now on a customer site. The customer network has a very restricted fiewall. This happens more and more. The customer want to know the IP address of the Amazon server. But Amazon uses a large pool (100 +) of IP addresses for the server. The customer do not want to open port 8883 to all ip addresses. And the IP list of amazon is too long to put in the firewall rules.
It is possible to do MQTT TLS over port 443 to the amazon server. Port 443 is mostly opened on most firewalls. To use port 443. To use port 443 ALPN is necessary.
Application Layer Protocol Negotiation (ALPN) is an extension to TLS
I don't think the ewon flexy supports ALPN. It should be very nice if the ewon will support this in the future.
-
Sure, you can change the port:
I would also say, this is not an incoming port on the firewall, the MQTT client (Flexy) is sending outgoing traffic.
I haven't tested using port 443. It's definitely unusual, but I don't see why not. The only potential conflict I see is if you were using port 443 for a VPN connection as well. You would have to test it.
0 -
I know I can change the port. The problem is that the Amazon IOT Core server only listens on port 8883. Port 443 can only be used with the ALPN protocol. Which is not supported know by the Ewon (I think).
Other ports cab not be used at the Amazon side.
Outgoing port 8883 is blocked on the customers firewall. They want to open this port to one or a few destination IP addresses. The Amazon IP list is too long.
Port 443 is already open and it should be very nice if I can use this with ALPN
I found this link, in 2022 there was no support for ALPN. I think there are more and more restricted firewalls. The need for this ALPN support is increasing.
https://techforum.ewon.biz/thread-1913.html?highlight=ALPN
0 -
Why wouldn't they just allow outgoing traffic on port 8883 to certain devices? They could allow only the Flexy to use this port by its IP address or MAC address.
I can certainly pass on this information about ALPN, but I'm fairly certain this is not on the roadmap. If you have a compelling business case for this, I recommend reaching out to your sales contact, who can make the case for it to the developers.
I appreciate the feedback, and I will also pass it on through my channels.
0 -
I was doing a little more research on this and ALPN is just a TLS extension and should be included in OpenSSL versions 1.0.2 and newer. We did update the version of OpenSSL in firmware 14.8 on the Flexy, so I would expect this to work, as long as you are using the latest firmware.
Have you tested this using the latest firmware?
0 -
I have not tested it yet.
I thought it was not supported. I will test it soon. thanks
0 -
i have a basic program in the ewon . Which is connecting to the amazon server on port 8883.
I can easy change the port to 443. But i don't know how i enable the ALPN protocol ? And if this is supported by this function ?
Function MosquittoInit()
MQTT "open",DeviceID$, Endpoint$
MQTT "setparam", "port", "443"
MQTT "setparam", "log", "1"
MQTT "setparam", "keepalive", "300"
MQTT "setparam", "cafile","/usr/AmazonRootCA1.pem"
MQTT "setparam", "certfile","/usr/"+DeviceID$+".crt"
MQTT "setparam", "keyfile","/usr/"+DeviceID$+".key"
ENDFN
Function MosquittoConnect()
MQTT "connect"0 -
https://developer.ewon.biz/system/files_force/rg-0006-01-en-basic-programming.pdf
I found this document. I don.t know if this is the latest version ?
In the MQTT description there is nothing to find about ALPN ? I think it is not supported (yet)?
0 -
That is the latest version of the BASIC programming manual and you are correct, ALPN is not supported by the Flexy and at this time we do not have this on the roadmap. Please contact your local HMS Ewon channel partner if you wish to make a case to have this feature added to the future enhancements wishlist.
0
Please sign in to leave a comment.
Comments
8 comments