AWS IoT Core Now Supports MQTT Connections with Certificate Based Client Authentication On Port 443

Posted on: Feb 7, 2018

Beginning today, you have more options to securely connect your devices to AWS IoT Core. You can use MQTT with certificate based client authentication on port 443. Previously this combination of protocol and authentication mechanism was only supported on port 8883. 

Corporate firewalls and home routers often block inbound and outbound traffic on all ports except port 443 by default, which is the standard port for HTTPS (i.e. internet) traffic. This is done as a security measure to limit the attack surface for possible cyber attacks. With this update, we enable you to deploy your IoT devices with minimal network and firewall changes, while still using certificate based authentication. This is especially beneficial for those who need to deploy devices into environments where they do not control the IT infrastructure. 

As a result of this update, the following port/protocol/authentication combinations are now supported by AWS IoT Core:

*Using MQTT with client certificate authentication on port 443 requires the use of the ALPN TLS extension.

MQTT with TLS Client Authentication on Port 443 is enabled in all regions where AWS IoT is available.

To learn more and get started:

  • Ensure that the TLS library on your devices supports the Application Layer Protocol Negotiation (ALPN) TLS extension. Most common TLS implementations, including OpenSSL and mbedTLS support this extension.
  • Amazon FreeRTOS source code supports the ALPN extension.
  • Refer to the “Protocols” page of the AWS IoT Developers Guide.
  • Refer to the AWS IoT Blog post on this feature.

Protocol

Authentication

TCP Port

MQTT

Client Certificate

8883,
443*

HTTP

Client Certificate

8443

HTTP

AWS Signature Version 4

443

MQTT over WebSockets

AWS Signature Version 4

443