question

Matt-7416 avatar image
0 Votes"
Matt-7416 asked asergaz commented

Debug D2C IoT Hub traffic inside a TLS session

I have an IoT device that unfortunately makes it difficult to inspect network traffic inside of a TLS socket that it establishes.

I'm trying to use an MQTT client on this device to PUBLISH an MQTT control packet to IoT Hub, but after I send the control packet, IoT Hub disconnects and the message never arrives in IoT Hub.

I'm only starting out so I don't have any routes and am just relying on the default IoT Hub route.
Using the "az iot hub monitor-events --hub-name ..." Azure CLI command to monitor for the incoming MQTT messages.

If I use the Azure Python IoT Hub SDK, I can see the MQTT messages get delivered just fine.
I just can't seem to get it to work with this other MQTT client on the physical IoT device.

So my question is: How does one debug this MQTT PUBLISH issue, or more generally any other IoT device-to-cloud telemetry issue, when you can't inspect the traffic inside the TLS session?

E.g. Is there an Azure CLI tool that is an equivalent of the actual IoT Hub and can be run locally?
Is there a way to temporarily disable TLS on the IoT Hub end-point?

azure-iot-hub
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

asergaz avatar image
0 Votes"
asergaz answered asergaz commented

Hello @Matt-7416 ,
Let me start with the last question:

Is there a way to temporarily disable TLS on the IoT Hub end-point?

No that is not possible. IoT Hub only accepts secured connections over Transport Layer Security (TLS) standard, supporting versions 1.2 and 1.0. See more information here: Security recommendations for Azure Internet of Things (IoT) deployment

We need to guarantee that the connection to IoT Hub when using MQTT is done over port 8883 (the secure way). See more info about Port numbers.

Focusing on this result you shared with us:

If I use the Azure Python IoT Hub SDK, I can see the MQTT messages get delivered just fine.
I just can't seem to get it to work with this other MQTT client on the physical IoT device.

I suspect that when you are not using Azure Python IoT SDK, you are not bringing the Baltimore Certificate into the picture? "In order to establish a TLS connection, you may need to download and reference the DigiCert Baltimore Root Certificate. This certificate is the one that Azure uses to secure the connection."

Please have a look at the following article that has an example of how to implement this using the Python version of the Paho MQTT library by the Eclipse Foundation.

Is there an Azure CLI tool that is an equivalent of the actual IoT Hub and can be run locally?

I am not 100% if this answers your question, but you can use IoT Edge for connecting downstream devices while internet connection is offline or you need to use a different protocol than the ones currently supported by IoT Hub.

I hope I could help, thank you.

Remember:
- Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
- Want a reminder to come back and check responses? Here is how to subscribe to a notification.




· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I suspect that when you are not using Azure Python IoT SDK, you are not bringing the Baltimore Certificate into the picture? "In order to establish a TLS connection, you may need to download and reference the DigiCert Baltimore Root Certificate. This certificate is the one that Azure uses to secure the connection."

Thanks, but it wasn't a certificate issue.
Turns out I was publishing to the wrong MQTT topic.

Having said that, I think the general nature of my question still stands.

It sounds like at this point in time there is nothing on offer for Azure to help with this, but it looks like IoT Edge might be a roundabout way to something similar.

Thanks @asergaz

1 Vote 1 ·

Thanks for validating that @Matt-7416 . How can I help further so we have a verified answer on this thread?

Regards.

0 Votes 0 ·