Debug D2C IoT Hub traffic inside a TLS session

Matt 46 Reputation points
2021-10-05T02:25:40.99+00:00

I have an IoT device that unfortunately makes it difficult to inspect network traffic inside of a TLS socket that it establishes.

I'm trying to use an MQTT client on this device to PUBLISH an MQTT control packet to IoT Hub, but after I send the control packet, IoT Hub disconnects and the message never arrives in IoT Hub.

I'm only starting out so I don't have any routes and am just relying on the default IoT Hub route.
Using the "az iot hub monitor-events --hub-name ..." Azure CLI command to monitor for the incoming MQTT messages.

If I use the Azure Python IoT Hub SDK, I can see the MQTT messages get delivered just fine.
I just can't seem to get it to work with this other MQTT client on the physical IoT device.

So my question is: How does one debug this MQTT PUBLISH issue, or more generally any other IoT device-to-cloud telemetry issue, when you can't inspect the traffic inside the TLS session?

E.g. Is there an Azure CLI tool that is an equivalent of the actual IoT Hub and can be run locally?
Is there a way to temporarily disable TLS on the IoT Hub end-point?

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,128 questions
0 comments
Accepted answer
  1. António Sérgio Azevedo 7,666 Reputation points Microsoft Employee
    2021-10-06T13:52:28.093+00:00

    Hello @Matt ,
    Let me start with the last question:

    Is there a way to temporarily disable TLS on the IoT Hub end-point?

    No that is not possible. IoT Hub only accepts secured connections over Transport Layer Security (TLS) standard, supporting versions 1.2 and 1.0. See more information here: Security recommendations for Azure Internet of Things (IoT) deployment

    We need to guarantee that the connection to IoT Hub when using MQTT is done over port 8883 (the secure way). See more info about Port numbers.

    Focusing on this result you shared with us:

    If I use the Azure Python IoT Hub SDK, I can see the MQTT messages get delivered just fine.
    I just can't seem to get it to work with this other MQTT client on the physical IoT device.

    I suspect that when you are not using Azure Python IoT SDK, you are not bringing the Baltimore Certificate into the picture? "In order to establish a TLS connection, you may need to download and reference the DigiCert Baltimore Root Certificate. This certificate is the one that Azure uses to secure the connection."

    Please have a look at the following article that has an example of how to implement this using the Python version of the Paho MQTT library by the Eclipse Foundation.

    Is there an Azure CLI tool that is an equivalent of the actual IoT Hub and can be run locally?

    I am not 100% if this answers your question, but you can use IoT Edge for connecting downstream devices while internet connection is offline or you need to use a different protocol than the ones currently supported by IoT Hub.

    I hope I could help, thank you.

    Remember:

    • Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest