AWS IoT Core removes TLS ALPN requirement and adds custom authorizer capabilities

Posted on: Oct 3, 2024

Today, AWS IoT Core announces three new capabilities for domain configurations. Devices no longer need to rely on Transport Layer Security (TLS) Application Layer Protocol Negotiation (ALPN) extension to determine authentication type and protocol. Furthermore, developers can add additional X.509 client certificates validation to custom authentication workflow. Previously, devices selected authentication type by connecting to a defined port and providing TLS ALPN with chosen protocol. The new capability to configure authentication type and protocol purely based on the TLS Server Name Indication (SNI) extension makes it simpler to connect devices to the cloud without requiring TLS ALPN. This enables developers to migrate existing device fleets to AWS IoT Core without firmware updates or Amazon-specific TLS ALPN strings. The authentication type and protocol combination will be assigned to an endpoint for all supported TCP ports of this custom domain.

Building on the above-mentioned feature, AWS IoT Core added two additional authentication capabilities. Custom Authentication with X.509 Client Certificates allows customers to authenticate IoT devices using X.509 certificates and then add custom authentication logics as an additional layer of security check. Secondly, Custom Client Certificate Validation allows customers to validate X.509 client certificate based on a custom Lambda function. For example, developers can build custom certificate revocation checks, such as, Online Certificate Status Protocol and Certificate Revocation List, before allowing a client to connect.

All three capabilities are available in all AWS regions where AWS IoT Core is present, except AWS GovCloud (US). Visit the developer guide to learn more about this feature.