Redirect TLS traffic by hostname

amazon-web-services ssl man-in-the-middle openwrt

I have an IoT device that connects to a.iot.x.amazonaws.com at port 8883 (secure MQTT). I would instead like it to connect to my own site at b.iot.x.amazonaws.com (same port and protocol). I would like to use network tools to redirect the traffic. I do not wish to replace the firmware on the IoT device. I am using a site on the same subdomain (iot.x) to avoid TLS issues, since the certificate AWS provides covers the whole iot.x subdomain.

My trouble is, I think both domains resolve to the same IP addresses, so I can't simply use the hosts file in my OpenWRT router to redirect traffic. Shared hosting would mean that the site it connects to is determined by the domain name, not the IP address alone.

Is modifying the domain name during the connection request enough to accomplish this? Is there a tool available to do this?


Solution 1:

Distinguishing between different domains on the same IP address is done using the server_name extension (SNI) in the TLS handshake. Changing this information by some man-in-the-middle would lead to a failing integrity check over the TLS handshake, causing the handshake to fail. This means that this kind of approach is not possible.

Related

WordPress unable to connect to MySQL from GCP Compute Engine VM
Linux Link Speed Advertise
Flushing IP table doesn’t flush NAT
Automate the creation of database/user/password into K8 for Bitnami helm chart postgresql
Proper way to create unique_ptr that holds an allocated array
SQL - IF EXISTS UPDATE ELSE INSERT INTO
Lambda including if...elif...else
std::thread calling method of class [duplicate]
Project with path ':mypath' could not be found in root project 'myproject'
Is there a way to use pipenv with Jupyter notebook?
Jest how to assert that function is not called
javascript: calculate x% of a number