Blog Post

Internet of Things Blog
5 MIN READ

Azure IoT TLS: Changes are coming! (…and why you should care)

RAMIoT's avatar
RAMIoT
Icon for Microsoft rankMicrosoft
Feb 01, 2021
[Update 5/27/2021: We have published a new blog post with more up-to-date guidance. Please read the new one here]   Microsoft is updating Azure services in a phased manner to use TLS server certi...
Updated May 25, 2022
Version 21.0
azure iot
Leszek_W's avatar
Leszek_W
Copper Contributor
Oct 01, 2020

I am using IoT DPS and IoT Hub from Linux VM + IoT Python SDK. My understanding is that I am not impacted based on input which you provided:

"If your devices depend on the operating system certificate store for getting these roots or use the device/gateway SDKs as provided, then no action is required."

In addition I did following test with curl:

 

[admin@node01 ~]$ curl -v https://global-canary.azure-devices-provisioning.net:8883
* About to connect() to global-canary.azure-devices-provisioning.net port 8883 (#0)
*   Trying 52.225.179.220...
* Connected to global-canary.azure-devices-provisioning.net (52.225.179.220) port 8883 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=*.azure-devices-provisioning.net
*       start date: Sep 08 21:29:05 2020 GMT
*       expire date: Sep 08 21:29:05 2021 GMT
*       common name: *.azure-devices-provisioning.net
*       issuer: CN=Microsoft RSA TLS CA 01,O=Microsoft Corporation,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: global-canary.azure-devices-provisioning.net:8883
> Accept: */*
>
* Empty reply from server
* Connection #0 to host global-canary.azure-devices-provisioning.net left intact
curl: (52) NSS: client certificate not found (nickname not specified)
[admin@node01 ~]$ curl -v https://sdk-cert-test.azure-devices.net:8883
* About to connect() to sdk-cert-test.azure-devices.net port 8883 (#0)
*   Trying 52.180.177.125...
* Connected to sdk-cert-test.azure-devices.net (52.180.177.125) port 8883 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=*.azure-devices.net
*       start date: Sep 10 21:15:38 2020 GMT
*       expire date: Sep 10 21:15:38 2021 GMT
*       common name: *.azure-devices.net
*       issuer: CN=Microsoft RSA TLS CA 01,O=Microsoft Corporation,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: sdk-cert-test.azure-devices.net:8883
> Accept: */*
>
* Empty reply from server
* Connection #0 to host sdk-cert-test.azure-devices.net left intact
curl: (52) NSS: client certificate not found (nickname not specified)
[admin@node01 ~]$

In case of issues with validation of the server certificate, curl reports it and "-k, --insecure" option is needed to skip validation of the server cert.

Does the above test confirm that I will not be impacted?

 

Thanks,

Leszek