nRF7002DK and TLS Sockets -7100 error

Hey everyone,

We have been struggling to get our nRF7002DK connected to any HTTPS server. We've stripped back our evaluation setup to use "google.com" with the example "globalsign_r1" cert and are still running into the same -7100 TLS handshake error. This project is compiled using NCS v2.4.0.

Our evaluation code is based on the WiFi Shell example and pulls in code from other samples. After we have successfully connected to a WiFi network, the device goes through the following routine:

  • We retrieve and set the system time using the SNTP and POSIX clocks modules. This always works fine.
  • We use the DNS resolver module to populate the addr_info struct for "google.com"
  • Afterwards we successfully allocate the socket in the fd table, register credentials with the TLS module, and give the cert data to the socket.
  • We call "connect" on the socket. This always fails with the -7100 error.
  • If the connection succeeded, we would send one HTTPS request.

Here's our console output.

uart:~$ Server time is: 1686687543
[00:00:16.668,304] <dbg> net_sock: zsock_socket_internal: (main): socket: ctx=0x20005aa4, fd=7
[00:00:16.668,487] <inf> wifi: Sending SNTP IPv4 request...
[00:00:16.721,160] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fb2c, st=0, user_data=(nil)
[00:00:16.721,282] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fb6c, st=0, user_data=(nil)
[00:00:16.721,862] <inf> wifi: status: 0
[00:00:16.721,862] <inf> wifi: time since Epoch: high word: 0, low word: 1686687543
[00:00:16.721,893] <dbg> net_sock: z_impl_zsock_close: (main): close: ctx=0x20005aa4, fd=7
uart:~$ Current time is now: Tue Jun 13 20:19:05 2023

print_addrinfo_results v4: 1 v6: 2 UNS: 0
ipFamily 47568
ipFamily 1
IPv4: 142.251.40.238
[00:00:23.747,100] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fb2c, st=0, user_data=(nil)
[00:00:23.747,375] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100
[00:00:23.747,467] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -103
Connecting to HTTP Server:
[00:00:23.756,805] <dbg> net_sock_tls: tls_alloc: (main): Allocated TLS context, 0x20001bd0
[00:00:23.757,049] <dbg> net_sock: zsock_socket_internal: (main): socket: ctx=0x20005aa4, fd=8
[00:00:23.788,269] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004faec, st=0, user_data=(nil)
[00:00:23.895,202] <dbg> net_sock: zsock_recv_stream: (main): NULL return from fifo
[00:00:23.924,316] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fb6c, st=0, user_data=(nil)
[00:00:23.933,197] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004faec, st=0, user_data=(nil)
[00:00:23.934,844] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fb6c, st=0, user_data=(nil)
[00:00:23.937,133] <err> net_sock_tls: TLS handshake error: -7100
[00:00:23.938,537] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004faac, st=0, user_data=(nil)
[00:00:23.939,849] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004faec, st=0, user_data=(nil)
[00:00:23.942,199] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fa6c, st=0, user_data=(nil)
[00:00:23.942,932] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004faac, st=0, user_data=(nil)
[00:00:23.945,892] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fa2c, st=0, user_data=(nil)
[00:00:23.946,594] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fa6c, st=0, user_data=(nil)
[00:00:23.948,211] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004f9ec, st=0, user_data=(nil)
[00:00:23.948,944] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fa2c, st=0, user_data=(nil)
[00:00:23.950,225] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004f9ac, st=0, user_data=(nil)
[00:00:23.950,866] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004f9ec, st=0, user_data=(nil)
uart:~$ http_client_req() failed?, err -5

Here's a code snippet corresponding to the console output, in case it is helpful.

k_sleep(K_SECONDS(2));
set_time(); // This function uses the Zephyr SNTP module to open an HTTP socket and retrieve a valid system time.
// The socket is closed afterwards.
k_sleep(K_SECONDS(2));
print_time();
k_sleep(K_SECONDS(5));

int sock;
int err;
struct sockaddr_in *sa;
struct addrinfo *rp;

nslookup("google.com", &rp); // This function is from the "http_get" sample, it performs a DNS lookup for "google.com" and formats the address.

print_addrinfo_results(&rp);

printk("Connecting to HTTP Server:\n");

// Load in the TLS cert for HTTPS
tls_credential_add(CA_CERTIFICATE_TAG, TLS_CREDENTIAL_CA_CERTIFICATE,
                    ca_certificate, sizeof(ca_certificate));

                
// Create Socket
sock = socket(rp->ai_family, rp->ai_socktype, IPPROTO_TLS_1_2); // IPPROTO_TCP //IPPROTO_TLS_1_2
if (sock < 0)
{
    printk("Error creating socket\n");
    return (-1);
}
               
// TLS settings
sec_tag_t sec_tag_opt[] = {
    CA_CERTIFICATE_TAG,
};

err = setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST,
    sec_tag_opt, sizeof(sec_tag_opt));
                
if (err < 0)
{
    LOG_ERR("Failed to set TLS security TAG list. Err: %d", errno);
    (void)close(sock);
    return -errno;
}

err = setsockopt(sock, SOL_TLS, TLS_HOSTNAME,
                                 HTTP_HOST, sizeof(HTTP_HOST));
if (err < 0)
{
    LOG_ERR("Failed to set TLS_HOSTNAME option. Err: %d", errno);
    (void)close(sock);
    return -errno;
}

// Iterate through until we get a successful connection
for (; rp != NULL; rp = rp->ai_next)
{
    if (rp->ai_addr->sa_family == AF_INET)
    {
        // IPv4 Address
        sa = (struct sockaddr_in *)rp->ai_addr;
        sa->sin_port = htons(443);
        connect(sock, (struct sockaddr *)sa, sizeof(struct sockaddr_in)); // This function appears to throw the -7100 error.
        if (sock > 0)
            break;
    }
}

k_sleep(K_SECONDS(5));
        
http_get(sock, HTTP_HOST, "/");

k_sleep(K_SECONDS(1));

close(sock);

k_sleep(K_FOREVER);

Here's our prj.conf. We don't use any additional overlays.

# WiFi Console Support.
CONFIG_EARLY_CONSOLE=y

# Network buffers
CONFIG_NET_MAX_CONTEXTS=6
CONFIG_NET_PKT_RX_COUNT=16
CONFIG_NET_PKT_TX_COUNT=16
CONFIG_NET_BUF_RX_COUNT=80
CONFIG_NET_BUF_TX_COUNT=80
CONFIG_NET_BUF_DATA_SIZE=512
CONFIG_HEAP_MEM_POOL_SIZE=120000
CONFIG_NET_TC_TX_COUNT=0

CONFIG_INIT_STACKS=y

CONFIG_NET_SHELL=y

CONFIG_NET_STATISTICS=y
CONFIG_NET_STATISTICS_PERIODIC_OUTPUT=n

# Networking
CONFIG_WIFI=y
CONFIG_WIFI_LOG_LEVEL_ERR=y
CONFIG_NET_L2_WIFI_SHELL=y
CONFIG_NET_CONFIG_SETTINGS=y
CONFIG_NETWORKING=y
CONFIG_NET_LOG=y
CONFIG_NET_IPV6=n
CONFIG_NET_IPV4=y
CONFIG_NET_UDP=y
CONFIG_NET_TCP=y
CONFIG_NET_DHCPV4=y

CONFIG_NET_IF_UNICAST_IPV4_ADDR_COUNT=1
CONFIG_NET_CONTEXT_SYNC_RECV=y

CONFIG_DNS_RESOLVER=y
CONFIG_JSON_LIBRARY=y

# Memories
CONFIG_MAIN_STACK_SIZE=8192
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096
CONFIG_NET_TX_STACK_SIZE=4096
CONFIG_NET_RX_STACK_SIZE=4096

CONFIG_IDLE_STACK_SIZE=640
CONFIG_ISR_STACK_SIZE=4096
CONFIG_SHELL_STACK_SIZE=4096

# Debugging
CONFIG_STACK_SENTINEL=y
CONFIG_DEBUG_COREDUMP=y
CONFIG_DEBUG_COREDUMP_BACKEND_LOGGING=y
CONFIG_DEBUG_COREDUMP_MEMORY_DUMP_MIN=y
CONFIG_SHELL_CMDS_RESIZE=n

CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=y
CONFIG_NET_DEBUG_NET_PKT_ALLOC=y
CONFIG_NET_BUF_POOL_USAGE=y
CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_MBEDTLS_DEBUG_LEVEL=4

# Logging
CONFIG_LOG=y
CONFIG_LOG_BUFFER_SIZE=2048
CONFIG_POSIX_CLOCK=y
#CONFIG_LOG_DEFAULT_LEVEL=4

# HTTP
CONFIG_HTTP_CLIENT=y

# Websockets Support.
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
# TLS networking
CONFIG_POSIX_MAX_FDS=16
CONFIG_NET_SOCKETS_ENABLE_DTLS=n
CONFIG_NET_SOCKETS_TLS_MAX_CIPHERSUITES=16
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
CONFIG_TLS_CREDENTIALS=y

# mbed TLS and security
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PK_C=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=32768
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=2304
CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=2304
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_NRF_SECURITY_ADVANCED=y
CONFIG_MBEDTLS_CIPHER=y
CONFIG_MBEDTLS_CIPHER_ALL_ENABLED=y

# SNTP Support.
CONFIG_SNTP=y

# Glue - Fixes documented bugs in nRF7002 implementation.
CONFIG_WIFI_NRF700X=y
CONFIG_NET_L2_ETHERNET=y

# Include WPA Supplement. Requires POSIX_API & NET_SOCKETS.
CONFIG_WPA_SUPP=y

# Required to prevent error in \wifi\nrf700x\zephyr\src\shim.c:14:10: fatal error: sys/time.h: No such file or directory
CONFIG_NEWLIB_LIBC=y
CONFIG_NEWLIB_LIBC_NANO=n

# Required to prevent undefined reference to `z_impl_sys_rand32_get'
CONFIG_ENTROPY_GENERATOR=y
CONFIG_TEST_RANDOM_GENERATOR=y

# printing of scan results puts pressure on queues in new locking
# design in net_mgmt. So, use a higher timeout for a crowded
# environment.
CONFIG_NET_MGMT_EVENT_QUEUE_TIMEOUT=5000

CONFIG_DEBUG_THREAD_INFO=y
CONFIG_DEBUG_OPTIMIZATIONS=y

Thanks in advance!

Parents
  • Hi again

    Is there any chance you could share your project with me so I can test it here? 

    It seems we don't have any proper HTTPS examples internally. I hope we can provide one soon enough, but I doubt we will be able to get a proper one together until after the summer. 

    Best regards
    Torbjørn

  • Hey Torbjørn,

    Sorry for the delay, I'm attaching a zipped project to this reply. I deleted the build directory to keep the size sane. We didn't have any additonal customizations to the build directory, so generating a new one on your end shouldn't make a difference hopefully. There's no company specific info or private keys/certs, so I shouldn't get into any trouble sharing this haha.

    wifi_zeph_2_4.zip

  • Hi Eric,

    Unfortunately we have not made any additional progress.

    -Jeremy

  • Hi Jeremy 

    Thanks for sharing the code. There has been some sideways progress on my side (replacing one error for another), but nothing definite yet. 

    I made some changes to the project configuration based on input from a colleague: 

    # mbed TLS and security
    CONFIG_MBEDTLS=y
    CONFIG_MBEDTLS_ENABLE_HEAP=y
    CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=16384
    CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=16384
    CONFIG_MBEDTLS_HEAP_SIZE=128000
    CONFIG_MBEDTLS_TLS_LIBRARY=y
    CONFIG_MBEDTLS_X509_LIBRARY=y
    CONFIG_MBEDTLS_PKCS1_V15=y
    CONFIG_NRF_SECURITY_ADVANCED=y
    CONFIG_NORDIC_SECURITY_BACKEND=y
    CONFIG_PSA_WANT_ALG_SHA_1=y
    CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
    CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
    CONFIG_MBEDTLS_SSL_DEBUG_ALL=y
    CONFIG_MBEDTLS_LOG_LEVEL_DBG=y
    #CONFIG_MBEDTLS_DEBUG=y
    #CONFIG_MBEDTLS_DEBUG_C=y
    CONFIG_MBEDTLS_SSL_RENEGOTIATION=y
    CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
    CONFIG_MBEDTLS_KEY_EXCHANGE_ALL_ENABLED=y
    CONFIG_MBEDTLS_ECP_ALL_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_ALL_ENABLED=y
    CONFIG_MBEDTLS_SSL_SESSION_TICKETS=y
    CONFIG_MBEDTLS_SSL_CACHE_C=y
    CONFIG_MBEDTLS_SSL_TICKET_C=y
    CONFIG_PSA_WANT_ECC_TWISTED_EDWARDS_255=y
    CONFIG_PSA_CRYPTO_DRIVER_ECC_TWISTED_EDWARDS_255_OBERON=y
    CONFIG_MBEDTLS_RSA_C=y
    
    CONFIG_NET_TCP_WORKQ_STACK_SIZE=4096

    Now I get the 0x3b00 error instead (MBEDTLS_ERR_PK_INVALID_PUBKEY), as discussed in this case.

    If I replace google.com with example.com I get 0x2700 (MBEDTLS_ERR_X509_CERT_VERIFY_FAILED).

    In other words more work is needed. I will provide an update as soon as I have more to share. 

    Best regards
    Torbjørn 

  • Hi Jeremy

    The hunt for a fix continues. 

    One of my colleagues was able to get TLS working by changing the crypto backend used from the Oberon backend to the CC3XX backend. We still don't quite understand why this fixes the issue, but I double checked that this worked on my end as well Wink

    Could you give this a go? 

    Updated prj.conf below:

    # WiFi Console Support.
    CONFIG_EARLY_CONSOLE=y
    
    # Network buffers
    CONFIG_NET_MAX_CONTEXTS=6
    CONFIG_NET_PKT_RX_COUNT=16
    CONFIG_NET_PKT_TX_COUNT=16
    CONFIG_NET_BUF_RX_COUNT=80
    CONFIG_NET_BUF_TX_COUNT=80
    CONFIG_NET_BUF_DATA_SIZE=512
    CONFIG_HEAP_MEM_POOL_SIZE=120000
    CONFIG_NET_TC_TX_COUNT=0
    
    CONFIG_INIT_STACKS=y
    
    CONFIG_NET_SHELL=y
    
    CONFIG_NET_STATISTICS=y
    CONFIG_NET_STATISTICS_PERIODIC_OUTPUT=n
    
    # Networking
    CONFIG_WIFI=y
    CONFIG_WIFI_LOG_LEVEL_ERR=y
    CONFIG_NET_L2_WIFI_SHELL=y
    CONFIG_NET_CONFIG_SETTINGS=y
    CONFIG_NETWORKING=y
    CONFIG_NET_LOG=y
    CONFIG_NET_IPV6=n
    CONFIG_NET_IPV4=y
    CONFIG_NET_UDP=y
    CONFIG_NET_TCP=y
    CONFIG_NET_DHCPV4=y
    
    CONFIG_NET_IF_UNICAST_IPV4_ADDR_COUNT=1
    CONFIG_NET_CONTEXT_SYNC_RECV=y
    
    CONFIG_DNS_RESOLVER=y
    CONFIG_JSON_LIBRARY=y
    
    # Memories
    CONFIG_MAIN_STACK_SIZE=8192
    CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096
    CONFIG_NET_TX_STACK_SIZE=4096
    CONFIG_NET_RX_STACK_SIZE=4096
    
    CONFIG_IDLE_STACK_SIZE=640
    CONFIG_ISR_STACK_SIZE=4096
    CONFIG_SHELL_STACK_SIZE=4096
    
    # Debugging
    CONFIG_STACK_SENTINEL=y
    CONFIG_DEBUG_COREDUMP=y
    CONFIG_DEBUG_COREDUMP_BACKEND_LOGGING=y
    CONFIG_DEBUG_COREDUMP_MEMORY_DUMP_MIN=y
    CONFIG_SHELL_CMDS_RESIZE=n
    
    CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=y
    CONFIG_NET_DEBUG_NET_PKT_ALLOC=y
    CONFIG_NET_BUF_POOL_USAGE=y
    CONFIG_MBEDTLS_DEBUG_C=y
    CONFIG_MBEDTLS_DEBUG_LEVEL=4
    
    # Logging
    CONFIG_LOG=y
    CONFIG_LOG_BUFFER_SIZE=2048
    CONFIG_POSIX_CLOCK=y
    #CONFIG_LOG_DEFAULT_LEVEL=4
    
    # HTTP
    CONFIG_HTTP_CLIENT=y
    
    # Websockets Support.
    CONFIG_NET_SOCKETS=y
    CONFIG_NET_SOCKETS_POSIX_NAMES=y
    # TLS networking
    CONFIG_POSIX_MAX_FDS=16
    CONFIG_NET_SOCKETS_ENABLE_DTLS=n
    CONFIG_NET_SOCKETS_TLS_MAX_CIPHERSUITES=16
    CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
    CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
    CONFIG_TLS_CREDENTIALS=y
    
    # mbed TLS and security
    CONFIG_MBEDTLS=y
    CONFIG_MBEDTLS_ENABLE_HEAP=y
    CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=16384
    CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=16384
    CONFIG_MBEDTLS_HEAP_SIZE=128000
    CONFIG_MBEDTLS_TLS_LIBRARY=y
    CONFIG_MBEDTLS_X509_LIBRARY=y
    CONFIG_MBEDTLS_PKCS1_V15=y
    CONFIG_NRF_SECURITY_ADVANCED=y
    CONFIG_NORDIC_SECURITY_BACKEND=y
    CONFIG_PSA_WANT_ALG_SHA_1=y
    CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
    CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
    CONFIG_PSA_WANT_ECC_SECP_R1_256=y
    CONFIG_MBEDTLS_SSL_DEBUG_ALL=y
    CONFIG_MBEDTLS_LOG_LEVEL_DBG=y
    CONFIG_CC3XX_BACKEND=y
    CONFIG_OBERON_BACKEND=n
    
    CONFIG_MBEDTLS_DEBUG=n
    #CONFIG_MBEDTLS_LOG_LEVEL_INF=y
    
    CONFIG_MBEDTLS_SSL_RENEGOTIATION=y
    CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
    CONFIG_MBEDTLS_KEY_EXCHANGE_ALL_ENABLED=y
    CONFIG_MBEDTLS_ECP_ALL_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_ALL_ENABLED=y
    CONFIG_MBEDTLS_SSL_SESSION_TICKETS=y
    CONFIG_MBEDTLS_SSL_CACHE_C=y
    CONFIG_MBEDTLS_SSL_TICKET_C=y
    CONFIG_PSA_WANT_ECC_TWISTED_EDWARDS_255=y
    CONFIG_PSA_CRYPTO_DRIVER_ECC_TWISTED_EDWARDS_255_OBERON=y
    CONFIG_MBEDTLS_RSA_C=y
    
    # SNTP Support.
    CONFIG_SNTP=y
    
    # Glue - Fixes documented bugs in nRF7002 implementation.
    CONFIG_WIFI_NRF700X=y
    CONFIG_NET_L2_ETHERNET=y
    
    # Include WPA Supplement. Requires POSIX_API & NET_SOCKETS.
    CONFIG_WPA_SUPP=y
    
    # Required to prevent error in \wifi\nrf700x\zephyr\src\shim.c:14:10: fatal error: sys/time.h: No such file or directory
    CONFIG_NEWLIB_LIBC=y
    CONFIG_NEWLIB_LIBC_NANO=n
    
    # Required to prevent undefined reference to `z_impl_sys_rand32_get'
    CONFIG_ENTROPY_GENERATOR=y
    CONFIG_TEST_RANDOM_GENERATOR=y
    
    # printing of scan results puts pressure on queues in new locking
    # design in net_mgmt. So, use a higher timeout for a crowded
    # environment.
    CONFIG_NET_MGMT_EVENT_QUEUE_TIMEOUT=5000
    
    CONFIG_DEBUG_THREAD_INFO=y
    CONFIG_DEBUG_OPTIMIZATIONS=y
    
    CONFIG_NET_TCP_WORKQ_STACK_SIZE=4096

    Best regards
    Torbjørn

  • Hey Torbjørn,

    This worked great for "google.com" with the provided cert! I'll verify this answer for now since this seems like it would help most people get up and running with TLS on the 7002. Unfortunately, we're still running into issues with our actual production webserver and certs, but at this point it could easily be a misconfiguration on our end.

    Let us know if you guys figure out anything else (e.g. Why doesn't Oberon work? Do all of the supported ciphersuites work with CC3XX? etc), and we'll continue testing/reconfiguring on our end.

    Thank you, this was a great step forward!

Reply
  • Hey Torbjørn,

    This worked great for "google.com" with the provided cert! I'll verify this answer for now since this seems like it would help most people get up and running with TLS on the 7002. Unfortunately, we're still running into issues with our actual production webserver and certs, but at this point it could easily be a misconfiguration on our end.

    Let us know if you guys figure out anything else (e.g. Why doesn't Oberon work? Do all of the supported ciphersuites work with CC3XX? etc), and we'll continue testing/reconfiguring on our end.

    Thank you, this was a great step forward!

Children
  • Hi Jeremy, I tried using Tobjorn's updated prj.conf and the code from your wifi_zeph_2_4.zip but am still getting a http_client_req() failed?, err 40 (which is Lv3 Reset...?), with the http response saying "Moved Permanently", which is a 301 error.  I'm wondering if you had to change anything from the zipped folder to make it work or did I do anything wrong?

    -Eric

  • Hi guys 

    Glad to hear you got it working Jeremy Slight smile

    The crypto experts are still discussing this. The assumption was that the CC312 backend did not support 4096 bit keys, and that is why the Oberon backend was enabled instead. It seems the CC312 do indeed support various 4096 bit key operations, it is just key generation that is limited to 3072 bits. Why Oberon doesn't work is not properly understood yet. 

    We might have to continue this discussion over the summer as a lot of people are on vacation at the moment, but we will try to get to the bottom of this eventually. 

    erichotterbeefcurry said:
    but am still getting a http_client_req() failed?, err 40 (which is Lv3 Reset...?)

    I think this is just an inconsistency in the application. A positive return from the http_client_req() function is actually not an error, it just tells you how many bytes were returned. A negative value would indicate an error. 

    Best regards
    Torbjørn

  • Hi Torbjoin, ah ok I didn't realize the client request can return positive values too. Thank you and the team so much for working on top of this! Do you mind elaborating more on why I got the 301 request error, "Moved Permanently"? I suppose that meant we made a HTTPS connection to Google but something went wrong, and it sounds like Jeremy didn't get this request error.

    -Best,

    Eric

  • I was able to make HTTPS request too! I followed Kyle's steps where I had to convert my .pem to .der using openssh and I had to add an authroziation bearer token with my GET request, but I was able to correctly receive response from both Google and our internal server. Thanks Nordic folks for keep working on this!

  • Great that you were able to get it working Eric Slight smile

    It seems you have both got it working then, and I will consider this case resolved. 

    Best regards
    Torbjørn

Related