How to add host header to the mqtt client on android?

There is a way to add a host header to the HiveMQ client for android ?

Hi Kevin,

Welcome to the HiveMQ Community! We’re thrilled to have you join us, especially given your interest in MQTT and the HiveMQ broker. It’s always inspiring to see new members like yourself engaging with our platform.

Regarding your question about adding a host header to the HiveMQ client for Android, it’s important to note that MQTT operates independently of HTTP and therefore does not utilize HTTP headers such as Host. Instead, when you establish a connection, you specify the broker’s address (either hostname or IP), which fulfills a similar role to the Host header in HTTP.

If you have any more questions or need further assistance, please feel free to ask. We’re here to help!

Best regards,
Dasha from the HiveMQ Team

Thank you for clarify me that Daria. I have a new question I am just looking away that my network request or MQTT tasks are not visible using wireshark to don’t have issue For networks that have DNS rebinding protection enabled.

So this works connecting to the IP Address as server host but i will get the error javax.net.ssl.SSLHandshakeException: No subjectAltNames on the certificate match

so i have to set the hostnameVitifier to true
val sslConfig = MqttClientSslConfig.builder() .hostnameVerifier { _, _ -> true } .build()
and it works but there is not another way to keep the security of the SSL?

Hi Kevin,

I’m glad I could help earlier! Regarding your new question, it sounds like you’re dealing with issues related to SSL certificate validation when connecting to your server via IP address rather than DNS hostname. Here’s a bit more information that might help:

Please check the Subject Alternative Name (SAN) field in your server’s certificate. The SAN needs to match the hostname you’re using. If you’re using an IP address instead of a hostname, the SAN must include that IP address.

By ensuring the SAN matches your IP address, you can avoid disabling hostname verification, maintaining the security benefits of SSL.

Let me know if you need any more help with this!

Best,
Dasha from the HiveMQ Team

Hi Daria, I have a new question. If I configure the MQTT client to use the hostname while maintaining SSL security, is there a way to implement behavior similar to DNS over HTTPS in an HTTP client? I’m looking for a method to ensure that my network requests or MQTT tasks are not visible using Wireshark, to avoid issues with networks that have DNS rebinding protection enabled.

Hi @Kevin,

Could you please confirm if my understanding of “DNS over HTTPS” aligns with yours?

  1. First, we use the DNS hostname to obtain the IP address(es) of the broker(s).
  2. Then, in the MQTT client connection, we use the obtained IP address instead of the hostname.

Please let me know if this interpretation is correct. If not, kindly provide an example or refer me to an article that specifies the correct approach.

As we discussed earlier, this method may fail if the server certificate Subject Alternative Name (SAN) does not match the IP address.

One workaround is to disable hostname verification, as in your example:

val sslConfig = MqttClientSslConfig.builder().hostnameVerifier { _, _ -> true }.build()

However, for added security, you could implement a more sophisticated check to ensure that the IP matches the one retrieved for the hostname.

Regarding “Hide MQTT traffic from Wireshark,” it’s my understanding that concealing source and destination information in a network packet is not feasible.

I hope this information is helpful.

Best regards,
Dasha from the HiveMQ Team

No, I mean that I am using DNS over HTTPS for my HTTP client to handle network requests. This implementation uses CloudFront to ensure secure DNS, which helps avoid issues with networks that have DNS rebinding protection enabled.Since I am working on a project to set up a controller that would return a local hostname.

this is my code for my http client using DNS over HTTPS

fun createDoHClient(
    context: Context,
    authDao: AuthDao,
    cognitoService: CognitoService,
    cognitoUserPool: CognitoUserPool
): OkHttpClient {
    // Specify Cloudflare's DNS-over-HTTPS service endpoint
    val dohUrl = "https://cloudflare-dns.com/dns-query".toHttpUrl()

    // Configure the client to bootstrap using Cloudflare's DNS servers
    val dns = DnsOverHttps.Builder().client(OkHttpClient())
        .url(dohUrl)
        .bootstrapDnsHosts(
            InetAddress.getByName("1.1.1.1"),       // Primary IPv4 DNS address
            InetAddress.getByName("1.0.0.1"),       // Secondary IPv4 DNS address
            InetAddress.getByName("2606:4700:4700::1111"), // Primary IPv6 DNS address
            InetAddress.getByName("2606:4700:4700::1001")  // Secondary IPv6 DNS address
        )
        .build()

    return OkHttpClient.Builder()
        .dns(dns)
        .addInterceptor(AuthInterceptor(context, authDao, cognitoService, cognitoUserPool))
        .addInterceptor(HttpLoggingInterceptor().apply {
            level = HttpLoggingInterceptor.Level.BODY
        })
        .build()
}```

so I am looking a way to have a similar behavior on my MQTT client

By using HTTPS, DoH ensures that DNS queries and responses are encrypted, preventing third parties from seeing which websites the user is trying to access.Is there not an equivalent of that on MQTT?

Hello @Kevin

By using MQTT TLS, you can ensure that MQTT communications are encrypted and secure, much like how DoH protects DNS queries. Implementing these measures will help protect the privacy and integrity of your MQTT messages from third-party interference. You can find more information at Security Features of HiveMQ :: HiveMQ Documentation

Kind regards,
Diego from HiveMQ Team

thanks. I have an extra question. There is a way to set the SNI when i am doing my client configuration. Do you have any example of this?

Hi Kevin,

Thank you for your question. Enabling TLS-SNI depends on the type of client you are using. If Android Client, TLS-SNI is enabled by default.
To verify, you must mock an SSL server locally and analyse the TLS handshake between the server and the client. Detailed instructions on checking TLS-SNI can be found here: HiveMQ Knowledge Base.

I hope this helps! If you have any more questions, feel free to ask.

Best regards,
Dasha from the HiveMQ Team