MQTT SSL/TLS Connectivity: Client Authentication (CA Cert + Client Cert + Client Private Key)

JohanMynhardt
Here to help

MQTT SSL/TLS Connectivity: Client Authentication (CA Cert + Client Cert + Client Private Key)

This relates to AWS IoT Core.

 

I'm running into a situation where the bridge-workaround [0] is not optimal any longer.

 

The next step is to look at AWS IoT custom authorizers, but it would be helpful to know whether there are plans from Meraki to support TLS client authentication since there is currently a big push on this kind of authentication.

 

[0]: https://aws.amazon.com/blogs/iot/how-to-bridge-mosquitto-mqtt-broker-to-aws-iot/

2 Replies 2
JohanMynhardt
Here to help

I have gone down the path of using an AWS IoT Custom Authorizer, and I'm 99% of the way there. The last thing I'm unable do via the Meraki console is to specify an ALPN [0] value as required by AWS IoT Custom Authorizer protocols. [1], [2], [3].

The following is an example command using `mosquitto_pub` to test that AWS IoT is reachable using only a CA Cert and a Custom Authorizer (no mTLS authorization though CA cert + device cert + device key):

 

 

mosquitto_pub \
  --tls-alpn mqtt \
  --cafile AmazonRootCA1.pem \
  -h ${IOT_ENDPOINT} \
  -p 443 \
  -t ${THE_TOPIC} \
  -m "{\"msg\": \"hello IoT!\"}" \
  -i ${CLIENT_ID} \
  -u USER_NAME?x-amz-customauthorizer-name=${AUTHORIZER_NAME} \
  -P ${PASSWORD} \
  -d

 

 

The crucial part that I'm unable to do via Meraki Console is the equivalent of `--tls-alpn mqtt`.

 

A successful response looks like:

Client ${CLIENT_ID} sending CONNECT
Client ${CLIENT_ID} received CONNACK (0)
Client ${CLIENT_ID} sending PUBLISH (d0, q0, r0, m1, '${THE_TOPIC}', ... (20 bytes))
Client ${CLIENT_ID} sending DISCONNECT

 

I don't know how a big a request that is, but hopefully it can be added as an option soon, if mTLS is not planned to be supported.

 

Links:

[0]: https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation

[1]: https://docs.aws.amazon.com/iot/latest/developerguide/custom-auth.html#custom-auth-mqtt

[2]: https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html

[3]: https://aws.amazon.com/blogs/iot/mqtt-with-tls-client-authentication-on-port-443-why-it-is-useful-an...

Computeracer
Conversationalist

Hello @JohanMynhardt Were you able to make any further progress on getting such a solution to work with the AWS service?

Get notified when there are additional replies to this discussion.