1 (edited by gilo 2021-08-27 01:02:35)

Topic: Authenticating a Dynamic DNS server

Hi,

Our company uses a wolfMQTT together with wolfSSL on a pic32 embedded client to communicate with a third party MQTT broker let's call it "domain1".

The pic32 client has "domain1" server certificate planted within the code and wolfSSL_check_domain_name() function is called to authenticate the domain. The connection is secured and is working great.

While the pic32 MQTT clients are being scattered in customer's sites all over the world, it might happen that this third party MQTT broker would not be reliable anymore.

In order to solve this possible problem, we decided to create a middle-way dns record (let's call it "domain2") in our private server that points to the dns of whatever MQTT broker that will be used in the future (currently "domain1" but can be "domain3" in the future) - like a lined list (-: .

Currently we tried changing the wolfMQTT "DEFAULT_MQTT_HOST" from pointing to good old "domain1" to pointing the middle-way DNS record "domain2" and it does not connect. I guess its because the pre-planted server certificate certificate still has "domain1" in it.

The question is: what server certificate (and its domain) is require to pre-plant inside the pic32 MQTT client in order to communicate with every possible domain that will be pointed by "domain2"(i believe this is called dynamic DNS)?

Thanks in advanced,

Gil

Share

Re: Authenticating a Dynamic DNS server

Hi Gil,

Are you using a pre-shared key cert or public key for the authentication? You could use a CA that signs any new broker's cert to allow the clients to verify the new broker's cert.

Thanks,
Eric @ wolfSSL Support

3 (edited by gilo 2021-08-28 01:09:13)

Re: Authenticating a Dynamic DNS server

Yes, we are using a pre-shared key cert and public key.
How does using a CA solves this problem?

Share

Re: Authenticating a Dynamic DNS server

Does your application call `wolfSSL_check_domain_name`? Verifying the common name in the cert is fine, but not necessary if you also have a trusted CA that signed the server's certificate.