nRF7002DK and TLS Sockets -7100 error

Question

Hey everyone,

We have been struggling to get our nRF7002DK connected to any HTTPS server. We've stripped back our evaluation setup to use "google.com" with the example "globalsign_r1" cert and are still running into the same -7100 TLS handshake error. This project is compiled using NCS v2.4.0.

Our evaluation code is based on the WiFi Shell example and pulls in code from other samples. After we have successfully connected to a WiFi network, the device goes through the following routine:

We retrieve and set the system time using the SNTP and POSIX clocks modules. This always works fine.
We use the DNS resolver module to populate the addr_info struct for "google.com"
Afterwards we successfully allocate the socket in the fd table, register credentials with the TLS module, and give the cert data to the socket.
We call "connect" on the socket. This always fails with the -7100 error.
If the connection succeeded, we would send one HTTPS request.

Here's our console output.

uart:~$ Server time is: 1686687543
[00:00:16.668,304] <dbg> net_sock: zsock_socket_internal: (main): socket: ctx=0x20005aa4, fd=7
[00:00:16.668,487] <inf> wifi: Sending SNTP IPv4 request...
[00:00:16.721,160] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fb2c, st=0, user_data=(nil)
[00:00:16.721,282] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fb6c, st=0, user_data=(nil)
[00:00:16.721,862] <inf> wifi: status: 0
[00:00:16.721,862] <inf> wifi: time since Epoch: high word: 0, low word: 1686687543
[00:00:16.721,893] <dbg> net_sock: z_impl_zsock_close: (main): close: ctx=0x20005aa4, fd=7
uart:~$ Current time is now: Tue Jun 13 20:19:05 2023

print_addrinfo_results v4: 1 v6: 2 UNS: 0
ipFamily 47568
ipFamily 1
IPv4: 142.251.40.238
[00:00:23.747,100] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fb2c, st=0, user_data=(nil)
[00:00:23.747,375] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100
[00:00:23.747,467] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -103
Connecting to HTTP Server:
[00:00:23.756,805] <dbg> net_sock_tls: tls_alloc: (main): Allocated TLS context, 0x20001bd0
[00:00:23.757,049] <dbg> net_sock: zsock_socket_internal: (main): socket: ctx=0x20005aa4, fd=8
[00:00:23.788,269] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004faec, st=0, user_data=(nil)
[00:00:23.895,202] <dbg> net_sock: zsock_recv_stream: (main): NULL return from fifo
[00:00:23.924,316] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fb6c, st=0, user_data=(nil)
[00:00:23.933,197] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004faec, st=0, user_data=(nil)
[00:00:23.934,844] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fb6c, st=0, user_data=(nil)
[00:00:23.937,133] <err> net_sock_tls: TLS handshake error: -7100
[00:00:23.938,537] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004faac, st=0, user_data=(nil)
[00:00:23.939,849] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004faec, st=0, user_data=(nil)
[00:00:23.942,199] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fa6c, st=0, user_data=(nil)
[00:00:23.942,932] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004faac, st=0, user_data=(nil)
[00:00:23.945,892] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fa2c, st=0, user_data=(nil)
[00:00:23.946,594] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fa6c, st=0, user_data=(nil)
[00:00:23.948,211] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004f9ec, st=0, user_data=(nil)
[00:00:23.948,944] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fa2c, st=0, user_data=(nil)
[00:00:23.950,225] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004f9ac, st=0, user_data=(nil)
[00:00:23.950,866] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004f9ec, st=0, user_data=(nil)
uart:~$ http_client_req() failed?, err -5

Here's a code snippet corresponding to the console output, in case it is helpful.

k_sleep(K_SECONDS(2));
set_time(); // This function uses the Zephyr SNTP module to open an HTTP socket and retrieve a valid system time.
// The socket is closed afterwards.
k_sleep(K_SECONDS(2));
print_time();
k_sleep(K_SECONDS(5));

int sock;
int err;
struct sockaddr_in *sa;
struct addrinfo *rp;

nslookup("google.com", &rp); // This function is from the "http_get" sample, it performs a DNS lookup for "google.com" and formats the address.

print_addrinfo_results(&rp);

printk("Connecting to HTTP Server:\n");

// Load in the TLS cert for HTTPS
tls_credential_add(CA_CERTIFICATE_TAG, TLS_CREDENTIAL_CA_CERTIFICATE,
                    ca_certificate, sizeof(ca_certificate));

                
// Create Socket
sock = socket(rp->ai_family, rp->ai_socktype, IPPROTO_TLS_1_2); // IPPROTO_TCP //IPPROTO_TLS_1_2
if (sock < 0)
{
    printk("Error creating socket\n");
    return (-1);
}
               
// TLS settings
sec_tag_t sec_tag_opt[] = {
    CA_CERTIFICATE_TAG,
};

err = setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST,
    sec_tag_opt, sizeof(sec_tag_opt));
                
if (err < 0)
{
    LOG_ERR("Failed to set TLS security TAG list. Err: %d", errno);
    (void)close(sock);
    return -errno;
}

err = setsockopt(sock, SOL_TLS, TLS_HOSTNAME,
                                 HTTP_HOST, sizeof(HTTP_HOST));
if (err < 0)
{
    LOG_ERR("Failed to set TLS_HOSTNAME option. Err: %d", errno);
    (void)close(sock);
    return -errno;
}

// Iterate through until we get a successful connection
for (; rp != NULL; rp = rp->ai_next)
{
    if (rp->ai_addr->sa_family == AF_INET)
    {
        // IPv4 Address
        sa = (struct sockaddr_in *)rp->ai_addr;
        sa->sin_port = htons(443);
        connect(sock, (struct sockaddr *)sa, sizeof(struct sockaddr_in)); // This function appears to throw the -7100 error.
        if (sock > 0)
            break;
    }
}

k_sleep(K_SECONDS(5));
        
http_get(sock, HTTP_HOST, "/");

k_sleep(K_SECONDS(1));

close(sock);

k_sleep(K_FOREVER);

Here's our prj.conf. We don't use any additional overlays.

# WiFi Console Support.
CONFIG_EARLY_CONSOLE=y

# Network buffers
CONFIG_NET_MAX_CONTEXTS=6
CONFIG_NET_PKT_RX_COUNT=16
CONFIG_NET_PKT_TX_COUNT=16
CONFIG_NET_BUF_RX_COUNT=80
CONFIG_NET_BUF_TX_COUNT=80
CONFIG_NET_BUF_DATA_SIZE=512
CONFIG_HEAP_MEM_POOL_SIZE=120000
CONFIG_NET_TC_TX_COUNT=0

CONFIG_INIT_STACKS=y

CONFIG_NET_SHELL=y

CONFIG_NET_STATISTICS=y
CONFIG_NET_STATISTICS_PERIODIC_OUTPUT=n

# Networking
CONFIG_WIFI=y
CONFIG_WIFI_LOG_LEVEL_ERR=y
CONFIG_NET_L2_WIFI_SHELL=y
CONFIG_NET_CONFIG_SETTINGS=y
CONFIG_NETWORKING=y
CONFIG_NET_LOG=y
CONFIG_NET_IPV6=n
CONFIG_NET_IPV4=y
CONFIG_NET_UDP=y
CONFIG_NET_TCP=y
CONFIG_NET_DHCPV4=y

CONFIG_NET_IF_UNICAST_IPV4_ADDR_COUNT=1
CONFIG_NET_CONTEXT_SYNC_RECV=y

CONFIG_DNS_RESOLVER=y
CONFIG_JSON_LIBRARY=y

# Memories
CONFIG_MAIN_STACK_SIZE=8192
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096
CONFIG_NET_TX_STACK_SIZE=4096
CONFIG_NET_RX_STACK_SIZE=4096

CONFIG_IDLE_STACK_SIZE=640
CONFIG_ISR_STACK_SIZE=4096
CONFIG_SHELL_STACK_SIZE=4096

# Debugging
CONFIG_STACK_SENTINEL=y
CONFIG_DEBUG_COREDUMP=y
CONFIG_DEBUG_COREDUMP_BACKEND_LOGGING=y
CONFIG_DEBUG_COREDUMP_MEMORY_DUMP_MIN=y
CONFIG_SHELL_CMDS_RESIZE=n

CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=y
CONFIG_NET_DEBUG_NET_PKT_ALLOC=y
CONFIG_NET_BUF_POOL_USAGE=y
CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_MBEDTLS_DEBUG_LEVEL=4

# Logging
CONFIG_LOG=y
CONFIG_LOG_BUFFER_SIZE=2048
CONFIG_POSIX_CLOCK=y
#CONFIG_LOG_DEFAULT_LEVEL=4

# HTTP
CONFIG_HTTP_CLIENT=y

# Websockets Support.
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
# TLS networking
CONFIG_POSIX_MAX_FDS=16
CONFIG_NET_SOCKETS_ENABLE_DTLS=n
CONFIG_NET_SOCKETS_TLS_MAX_CIPHERSUITES=16
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
CONFIG_TLS_CREDENTIALS=y

# mbed TLS and security
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PK_C=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=32768
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=2304
CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=2304
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_NRF_SECURITY_ADVANCED=y
CONFIG_MBEDTLS_CIPHER=y
CONFIG_MBEDTLS_CIPHER_ALL_ENABLED=y

# SNTP Support.
CONFIG_SNTP=y

# Glue - Fixes documented bugs in nRF7002 implementation.
CONFIG_WIFI_NRF700X=y
CONFIG_NET_L2_ETHERNET=y

# Include WPA Supplement. Requires POSIX_API & NET_SOCKETS.
CONFIG_WPA_SUPP=y

# Required to prevent error in \wifi\nrf700x\zephyr\src\shim.c:14:10: fatal error: sys/time.h: No such file or directory
CONFIG_NEWLIB_LIBC=y
CONFIG_NEWLIB_LIBC_NANO=n

# Required to prevent undefined reference to `z_impl_sys_rand32_get'
CONFIG_ENTROPY_GENERATOR=y
CONFIG_TEST_RANDOM_GENERATOR=y

# printing of scan results puts pressure on queues in new locking
# design in net_mgmt. So, use a higher timeout for a crowded
# environment.
CONFIG_NET_MGMT_EVENT_QUEUE_TIMEOUT=5000

CONFIG_DEBUG_THREAD_INFO=y
CONFIG_DEBUG_OPTIMIZATIONS=y

Thanks in advance!

ovrebekk · Accepted Answer

Hi Jeremy 
 The hunt for a fix continues. 
 One of my colleagues was able to get TLS working by changing the crypto backend used from the Oberon backend to the CC3XX backend. We still don't quite understand why this fixes the issue, but I double checked that this worked on my end as well 
 Could you give this a go? 
 Updated prj.conf below: 
 # WiFi Console Support.
CONFIG_EARLY_CONSOLE=y

# Network buffers
CONFIG_NET_MAX_CONTEXTS=6
CONFIG_NET_PKT_RX_COUNT=16
CONFIG_NET_PKT_TX_COUNT=16
CONFIG_NET_BUF_RX_COUNT=80
CONFIG_NET_BUF_TX_COUNT=80
CONFIG_NET_BUF_DATA_SIZE=512
CONFIG_HEAP_MEM_POOL_SIZE=120000
CONFIG_NET_TC_TX_COUNT=0

CONFIG_INIT_STACKS=y

CONFIG_NET_SHELL=y

CONFIG_NET_STATISTICS=y
CONFIG_NET_STATISTICS_PERIODIC_OUTPUT=n

# Networking
CONFIG_WIFI=y
CONFIG_WIFI_LOG_LEVEL_ERR=y
CONFIG_NET_L2_WIFI_SHELL=y
CONFIG_NET_CONFIG_SETTINGS=y
CONFIG_NETWORKING=y
CONFIG_NET_LOG=y
CONFIG_NET_IPV6=n
CONFIG_NET_IPV4=y
CONFIG_NET_UDP=y
CONFIG_NET_TCP=y
CONFIG_NET_DHCPV4=y

CONFIG_NET_IF_UNICAST_IPV4_ADDR_COUNT=1
CONFIG_NET_CONTEXT_SYNC_RECV=y

CONFIG_DNS_RESOLVER=y
CONFIG_JSON_LIBRARY=y

# Memories
CONFIG_MAIN_STACK_SIZE=8192
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096
CONFIG_NET_TX_STACK_SIZE=4096
CONFIG_NET_RX_STACK_SIZE=4096

CONFIG_IDLE_STACK_SIZE=640
CONFIG_ISR_STACK_SIZE=4096
CONFIG_SHELL_STACK_SIZE=4096

# Debugging
CONFIG_STACK_SENTINEL=y
CONFIG_DEBUG_COREDUMP=y
CONFIG_DEBUG_COREDUMP_BACKEND_LOGGING=y
CONFIG_DEBUG_COREDUMP_MEMORY_DUMP_MIN=y
CONFIG_SHELL_CMDS_RESIZE=n

CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=y
CONFIG_NET_DEBUG_NET_PKT_ALLOC=y
CONFIG_NET_BUF_POOL_USAGE=y
CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_MBEDTLS_DEBUG_LEVEL=4

# Logging
CONFIG_LOG=y
CONFIG_LOG_BUFFER_SIZE=2048
CONFIG_POSIX_CLOCK=y
#CONFIG_LOG_DEFAULT_LEVEL=4

# HTTP
CONFIG_HTTP_CLIENT=y

# Websockets Support.
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
# TLS networking
CONFIG_POSIX_MAX_FDS=16
CONFIG_NET_SOCKETS_ENABLE_DTLS=n
CONFIG_NET_SOCKETS_TLS_MAX_CIPHERSUITES=16
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
CONFIG_TLS_CREDENTIALS=y

# mbed TLS and security
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=16384
CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=16384
CONFIG_MBEDTLS_HEAP_SIZE=128000
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_NRF_SECURITY_ADVANCED=y
CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_PSA_WANT_ALG_SHA_1=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y
CONFIG_MBEDTLS_SSL_DEBUG_ALL=y
CONFIG_MBEDTLS_LOG_LEVEL_DBG=y
CONFIG_CC3XX_BACKEND=y
CONFIG_OBERON_BACKEND=n

CONFIG_MBEDTLS_DEBUG=n
#CONFIG_MBEDTLS_LOG_LEVEL_INF=y

CONFIG_MBEDTLS_SSL_RENEGOTIATION=y
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ALL_ENABLED=y
CONFIG_MBEDTLS_ECP_ALL_ENABLED=y
CONFIG_MBEDTLS_CIPHER_ALL_ENABLED=y
CONFIG_MBEDTLS_SSL_SESSION_TICKETS=y
CONFIG_MBEDTLS_SSL_CACHE_C=y
CONFIG_MBEDTLS_SSL_TICKET_C=y
CONFIG_PSA_WANT_ECC_TWISTED_EDWARDS_255=y
CONFIG_PSA_CRYPTO_DRIVER_ECC_TWISTED_EDWARDS_255_OBERON=y
CONFIG_MBEDTLS_RSA_C=y

# SNTP Support.
CONFIG_SNTP=y

# Glue - Fixes documented bugs in nRF7002 implementation.
CONFIG_WIFI_NRF700X=y
CONFIG_NET_L2_ETHERNET=y

# Include WPA Supplement. Requires POSIX_API & NET_SOCKETS.
CONFIG_WPA_SUPP=y

# Required to prevent error in \wifi
rf700x\zephyr\src\shim.c:14:10: fatal error: sys/time.h: No such file or directory
CONFIG_NEWLIB_LIBC=y
CONFIG_NEWLIB_LIBC_NANO=n

# Required to prevent undefined reference to `z_impl_sys_rand32_get'
CONFIG_ENTROPY_GENERATOR=y
CONFIG_TEST_RANDOM_GENERATOR=y

# printing of scan results puts pressure on queues in new locking
# design in net_mgmt. So, use a higher timeout for a crowded
# environment.
CONFIG_NET_MGMT_EVENT_QUEUE_TIMEOUT=5000

CONFIG_DEBUG_THREAD_INFO=y
CONFIG_DEBUG_OPTIMIZATIONS=y

CONFIG_NET_TCP_WORKQ_STACK_SIZE=4096 
 Best regards Torbjørn

nRF7002DK and TLS Sockets -7100 error

Top Replies