diff --git a/AWSIoTPythonSDK/core/protocol/paho/client.py b/AWSIoTPythonSDK/core/protocol/paho/client.py
index 9787984..7d8b38b 100755
--- a/AWSIoTPythonSDK/core/protocol/paho/client.py
+++ b/AWSIoTPythonSDK/core/protocol/paho/client.py
@@ -787,14 +787,25 @@ def reconnect(self):
                 self._ssl = SecuredWebSocketCore(rawSSL, self._host, self._port, self._AWSAccessKeyIDCustomConfig, self._AWSSecretAccessKeyCustomConfig, self._AWSSessionTokenCustomConfig)  # Overeride the _ssl socket
                 # self._ssl.enableDebug()
             else:
-                self._ssl = ssl.wrap_socket(
-                    sock,
-                    certfile=self._tls_certfile,
-                    keyfile=self._tls_keyfile,
-                    ca_certs=self._tls_ca_certs,
-                    cert_reqs=self._tls_cert_reqs,
-                    ssl_version=self._tls_version,
-                    ciphers=self._tls_ciphers)
+                if self._port == 8883:
+                    self._ssl = ssl.wrap_socket(
+                        sock,
+                        certfile=self._tls_certfile,
+                        keyfile=self._tls_keyfile,
+                        ca_certs=self._tls_ca_certs,
+                        cert_reqs=self._tls_cert_reqs,
+                        ssl_version=self._tls_version,
+                        ciphers=self._tls_ciphers)
+                else:
+                    context = ssl.SSLContext(self._tls_version)
+                    context.load_cert_chain(self._tls_certfile, self._tls_keyfile)
+                    context.verify_mode = self._tls_cert_reqs
+                    context.load_verify_locations(self._tls_ca_certs)
+                    context.set_alpn_protocols(["x-amzn-mqtt-ca"])
+
+                    self._ssl = context.wrap_socket(sock, server_hostname=self._host, do_handshake_on_connect=False)
+
+                    self._ssl.do_handshake()
 
                 if self._tls_insecure is False:
                     if sys.version_info[0] < 3 or (sys.version_info[0] == 3 and sys.version_info[1] < 5):  # No IP host match before 3.5.x
diff --git a/README.rst b/README.rst
index 0f6d258..9b11311 100755
--- a/README.rst
+++ b/README.rst
@@ -1,6 +1,38 @@
 AWS IoT Device SDK for Python
 =============================
 
+
+Fork
+----
+
+**WARNING**
+
+This fork is patched with support for certificate authentication over port 443, as suggested on
+`this Github issue <https://github.com/aws/aws-iot-device-sdk-python/issues/131>`__.
+
+All changes can be seen using `Comparing changes <https://github.com/aws/aws-iot-device-sdk-python/compare/master...martysweet:master>`__.
+
+Usage:
+   .. code-block:: python
+
+      # Init AWSIoTMQTTClient 
+      myAWSIoTMQTTClient = None
+      myAWSIoTMQTTClient = AWSIoTMQTTClient(clientId)
+      myAWSIoTMQTTClient.configureEndpoint(host, 443)   
+      myAWSIoTMQTTClient.configureCredentials(rootCAPath, privateKeyPath, certificatePath)
+   
+
+
+Requirements.txt
+   .. code-block:: python
+   
+      git+git://github.com/martysweet/aws-iot-device-sdk-python.git
+
+This fork will remain available **until** the offical repository supports the alpn negotiation.
+
+
+Doc
+---
 The AWS IoT Device SDK for Python allows developers to write Python
 script to use their devices to access the AWS IoT platform through `MQTT or
 MQTT over the  WebSocket
diff --git a/apln-patch.patch b/apln-patch.patch
new file mode 100644
index 0000000..c18e43a
--- /dev/null
+++ b/apln-patch.patch
@@ -0,0 +1,38 @@
+--- a/AWSIoTPythonSDK/core/protocol/paho/client.py
++++ b/AWSIoTPythonSDK/core/protocol/paho/client.py
+@@ -787,15 +787,26 @@ class Client(object):
+                 self._ssl = SecuredWebSocketCore(rawSSL, self._host, self._port, self._AWSAccessKeyIDCustomConfig, self._AWSSecretAccessKeyCustomConfig, self._AWSSessionTokenCustomConfig)  # Overeride the _ssl socket
+                 # self._ssl.enableDebug()
+             else:
+-                self._ssl = ssl.wrap_socket(
+-                    sock,
+-                    certfile=self._tls_certfile,
+-                    keyfile=self._tls_keyfile,
+-                    ca_certs=self._tls_ca_certs,
+-                    cert_reqs=self._tls_cert_reqs,
+-                    ssl_version=self._tls_version,
+-                    ciphers=self._tls_ciphers)
+-
++                if self._port == 8883:
++                    self._ssl = ssl.wrap_socket(
++                        sock,
++                        certfile=self._tls_certfile,
++                        keyfile=self._tls_keyfile,
++                        ca_certs=self._tls_ca_certs,
++                        cert_reqs=self._tls_cert_reqs,
++                        ssl_version=self._tls_version,
++                        ciphers=self._tls_ciphers)
++                else:
++                    context = ssl.SSLContext(self._tls_version)
++                    context.load_cert_chain(self._tls_certfile, self._tls_keyfile)
++                    context.verify_mode = self._tls_cert_reqs
++                    context.load_verify_locations(self._tls_ca_certs)
++                    context.set_alpn_protocols(["x-amzn-mqtt-ca"])
++
++                    self._ssl = context.wrap_socket(sock, server_hostname=self._host, do_handshake_on_connect=False)
++
++                    self._ssl.do_handshake()
++
+                 if self._tls_insecure is False:
+                     if sys.version_info[0] < 3 or (sys.version_info[0] == 3 and sys.version_info[1] < 5):  # No IP host match before 3.5.x
+                         self._tls_match_hostname()