none
[Node.js][Azure IoT Hub] Server certificate verification on device RRS feed

  • Question

  • Hi we are developing our software on a Linux embedded device using NodeJS. At the moment we are able to communicate with the IoTHub without problems using AMQP protocol (we are not interested in HTTP or MQTT at the moment), but i have a question. I cannot find where is performed the verification for the server certificate, we have performed some test on a device without any certificate authotiry installed and the connection with the IoTHub worked smoothly. So the question is: in the AMQP libraries is performed cerificate verification? In case, what certificate authorities are used? Looking at the C libraries i can see the file certs.c used to set the trusted certificate, but i cannot see anything similar in Node implementation, maybe i'm missing some part of the mechanism?

    Thank you,

    Gabriele

     





    Sunday, July 10, 2016 9:49 PM

All replies

  • Hi,

    Thank you for posting here.

    If you are using Azure IoT SDK for Node or the library node-amqp10 as the AMQP library to communicate with the IoTHub on your devices, you can find the source codes for suporting the trusted certificate as below.

    1. For Azure IoTHub SDK for Node, please see the source code at https://github.com/Azure/azure-iot-sdks/blob/eae4b5547329ffeacdbf8a7a2311f7c696c6c521/node/device/transport/amqp/lib/amqp.js#L178.

    And there is a sample code using cert files, please see https://github.com/Azure/azure-iot-sdks/blob/eae4b5547329ffeacdbf8a7a2311f7c696c6c521/node/device/samples/simple_sample_device_x509.js.

    2. For node-amqp10, please see the source code at https://github.com/noodlefrenzy/node-amqp10/blob/95b2e4a4923414274d99dbfc7321876bd77df37b/lib/policies/policy.js#L45. And you will need to set up the trusted certificate via using connection api from https://github.com/noodlefrenzy/node-amqp10/blob/5d701dd4046ef598bb1edf3b2c9f41c2cf967dbb/lib/connection.js#L137.

    For enabling the trusted certificate for connection, you can refer to the article https://azure.microsoft.com/en-us/documentation/articles/iot-hub-gateway-device-management/ to know.

    Best Regards,

    Peter Pan

    Monday, July 11, 2016 2:11 PM
    Moderator
  • Hi, thank you for your answer, but i was asking about verification of the server certificate performed in the standard TLS handshaking at the beginning of the communication (AMQP, HTTP or MQTT). The handshaking part of the communication (that switches from unsecure to TLS-secured communication) is common for the three protocol and is mandatory to continue with secure communication. The server certificate (not the device certificate) must be validated by the device to avoid man-in-the-middle attack and to perform this operation, the client (the device) must have a list of certificate authorities (CA) to validate the server's certificate. But i cannot find where this operation is performed in the node code, and using a device without any CA list, the operation still works properly, so maybe the libraries doesn't perform certificate validation and it's a duty for the application to perform this kind of check? Or maybe the libraries embed the CA needed to validate the certificate and i'm missing it?

    Thank you again and best regards

    Monday, July 11, 2016 3:15 PM