nRF7002DK and TLS Sockets -7100 error

Hey everyone,

We have been struggling to get our nRF7002DK connected to any HTTPS server. We've stripped back our evaluation setup to use "google.com" with the example "globalsign_r1" cert and are still running into the same -7100 TLS handshake error. This project is compiled using NCS v2.4.0.

Our evaluation code is based on the WiFi Shell example and pulls in code from other samples. After we have successfully connected to a WiFi network, the device goes through the following routine:

  • We retrieve and set the system time using the SNTP and POSIX clocks modules. This always works fine.
  • We use the DNS resolver module to populate the addr_info struct for "google.com"
  • Afterwards we successfully allocate the socket in the fd table, register credentials with the TLS module, and give the cert data to the socket.
  • We call "connect" on the socket. This always fails with the -7100 error.
  • If the connection succeeded, we would send one HTTPS request.

Here's our console output.

uart:~$ Server time is: 1686687543
[00:00:16.668,304] <dbg> net_sock: zsock_socket_internal: (main): socket: ctx=0x20005aa4, fd=7
[00:00:16.668,487] <inf> wifi: Sending SNTP IPv4 request...
[00:00:16.721,160] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fb2c, st=0, user_data=(nil)
[00:00:16.721,282] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fb6c, st=0, user_data=(nil)
[00:00:16.721,862] <inf> wifi: status: 0
[00:00:16.721,862] <inf> wifi: time since Epoch: high word: 0, low word: 1686687543
[00:00:16.721,893] <dbg> net_sock: z_impl_zsock_close: (main): close: ctx=0x20005aa4, fd=7
uart:~$ Current time is now: Tue Jun 13 20:19:05 2023

print_addrinfo_results v4: 1 v6: 2 UNS: 0
ipFamily 47568
ipFamily 1
IPv4: 142.251.40.238
[00:00:23.747,100] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fb2c, st=0, user_data=(nil)
[00:00:23.747,375] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100
[00:00:23.747,467] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -103
Connecting to HTTP Server:
[00:00:23.756,805] <dbg> net_sock_tls: tls_alloc: (main): Allocated TLS context, 0x20001bd0
[00:00:23.757,049] <dbg> net_sock: zsock_socket_internal: (main): socket: ctx=0x20005aa4, fd=8
[00:00:23.788,269] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004faec, st=0, user_data=(nil)
[00:00:23.895,202] <dbg> net_sock: zsock_recv_stream: (main): NULL return from fifo
[00:00:23.924,316] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fb6c, st=0, user_data=(nil)
[00:00:23.933,197] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004faec, st=0, user_data=(nil)
[00:00:23.934,844] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fb6c, st=0, user_data=(nil)
[00:00:23.937,133] <err> net_sock_tls: TLS handshake error: -7100
[00:00:23.938,537] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004faac, st=0, user_data=(nil)
[00:00:23.939,849] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004faec, st=0, user_data=(nil)
[00:00:23.942,199] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fa6c, st=0, user_data=(nil)
[00:00:23.942,932] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004faac, st=0, user_data=(nil)
[00:00:23.945,892] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fa2c, st=0, user_data=(nil)
[00:00:23.946,594] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fa6c, st=0, user_data=(nil)
[00:00:23.948,211] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004f9ec, st=0, user_data=(nil)
[00:00:23.948,944] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fa2c, st=0, user_data=(nil)
[00:00:23.950,225] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004f9ac, st=0, user_data=(nil)
[00:00:23.950,866] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004f9ec, st=0, user_data=(nil)
uart:~$ http_client_req() failed?, err -5

Here's a code snippet corresponding to the console output, in case it is helpful.

k_sleep(K_SECONDS(2));
set_time(); // This function uses the Zephyr SNTP module to open an HTTP socket and retrieve a valid system time.
// The socket is closed afterwards.
k_sleep(K_SECONDS(2));
print_time();
k_sleep(K_SECONDS(5));

int sock;
int err;
struct sockaddr_in *sa;
struct addrinfo *rp;

nslookup("google.com", &rp); // This function is from the "http_get" sample, it performs a DNS lookup for "google.com" and formats the address.

print_addrinfo_results(&rp);

printk("Connecting to HTTP Server:\n");

// Load in the TLS cert for HTTPS
tls_credential_add(CA_CERTIFICATE_TAG, TLS_CREDENTIAL_CA_CERTIFICATE,
                    ca_certificate, sizeof(ca_certificate));

                
// Create Socket
sock = socket(rp->ai_family, rp->ai_socktype, IPPROTO_TLS_1_2); // IPPROTO_TCP //IPPROTO_TLS_1_2
if (sock < 0)
{
    printk("Error creating socket\n");
    return (-1);
}
               
// TLS settings
sec_tag_t sec_tag_opt[] = {
    CA_CERTIFICATE_TAG,
};

err = setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST,
    sec_tag_opt, sizeof(sec_tag_opt));
                
if (err < 0)
{
    LOG_ERR("Failed to set TLS security TAG list. Err: %d", errno);
    (void)close(sock);
    return -errno;
}

err = setsockopt(sock, SOL_TLS, TLS_HOSTNAME,
                                 HTTP_HOST, sizeof(HTTP_HOST));
if (err < 0)
{
    LOG_ERR("Failed to set TLS_HOSTNAME option. Err: %d", errno);
    (void)close(sock);
    return -errno;
}

// Iterate through until we get a successful connection
for (; rp != NULL; rp = rp->ai_next)
{
    if (rp->ai_addr->sa_family == AF_INET)
    {
        // IPv4 Address
        sa = (struct sockaddr_in *)rp->ai_addr;
        sa->sin_port = htons(443);
        connect(sock, (struct sockaddr *)sa, sizeof(struct sockaddr_in)); // This function appears to throw the -7100 error.
        if (sock > 0)
            break;
    }
}

k_sleep(K_SECONDS(5));
        
http_get(sock, HTTP_HOST, "/");

k_sleep(K_SECONDS(1));

close(sock);

k_sleep(K_FOREVER);

Here's our prj.conf. We don't use any additional overlays.

# WiFi Console Support.
CONFIG_EARLY_CONSOLE=y

# Network buffers
CONFIG_NET_MAX_CONTEXTS=6
CONFIG_NET_PKT_RX_COUNT=16
CONFIG_NET_PKT_TX_COUNT=16
CONFIG_NET_BUF_RX_COUNT=80
CONFIG_NET_BUF_TX_COUNT=80
CONFIG_NET_BUF_DATA_SIZE=512
CONFIG_HEAP_MEM_POOL_SIZE=120000
CONFIG_NET_TC_TX_COUNT=0

CONFIG_INIT_STACKS=y

CONFIG_NET_SHELL=y

CONFIG_NET_STATISTICS=y
CONFIG_NET_STATISTICS_PERIODIC_OUTPUT=n

# Networking
CONFIG_WIFI=y
CONFIG_WIFI_LOG_LEVEL_ERR=y
CONFIG_NET_L2_WIFI_SHELL=y
CONFIG_NET_CONFIG_SETTINGS=y
CONFIG_NETWORKING=y
CONFIG_NET_LOG=y
CONFIG_NET_IPV6=n
CONFIG_NET_IPV4=y
CONFIG_NET_UDP=y
CONFIG_NET_TCP=y
CONFIG_NET_DHCPV4=y

CONFIG_NET_IF_UNICAST_IPV4_ADDR_COUNT=1
CONFIG_NET_CONTEXT_SYNC_RECV=y

CONFIG_DNS_RESOLVER=y
CONFIG_JSON_LIBRARY=y

# Memories
CONFIG_MAIN_STACK_SIZE=8192
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096
CONFIG_NET_TX_STACK_SIZE=4096
CONFIG_NET_RX_STACK_SIZE=4096

CONFIG_IDLE_STACK_SIZE=640
CONFIG_ISR_STACK_SIZE=4096
CONFIG_SHELL_STACK_SIZE=4096

# Debugging
CONFIG_STACK_SENTINEL=y
CONFIG_DEBUG_COREDUMP=y
CONFIG_DEBUG_COREDUMP_BACKEND_LOGGING=y
CONFIG_DEBUG_COREDUMP_MEMORY_DUMP_MIN=y
CONFIG_SHELL_CMDS_RESIZE=n

CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=y
CONFIG_NET_DEBUG_NET_PKT_ALLOC=y
CONFIG_NET_BUF_POOL_USAGE=y
CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_MBEDTLS_DEBUG_LEVEL=4

# Logging
CONFIG_LOG=y
CONFIG_LOG_BUFFER_SIZE=2048
CONFIG_POSIX_CLOCK=y
#CONFIG_LOG_DEFAULT_LEVEL=4

# HTTP
CONFIG_HTTP_CLIENT=y

# Websockets Support.
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
# TLS networking
CONFIG_POSIX_MAX_FDS=16
CONFIG_NET_SOCKETS_ENABLE_DTLS=n
CONFIG_NET_SOCKETS_TLS_MAX_CIPHERSUITES=16
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
CONFIG_TLS_CREDENTIALS=y

# mbed TLS and security
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PK_C=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=32768
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=2304
CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=2304
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_NRF_SECURITY_ADVANCED=y
CONFIG_MBEDTLS_CIPHER=y
CONFIG_MBEDTLS_CIPHER_ALL_ENABLED=y

# SNTP Support.
CONFIG_SNTP=y

# Glue - Fixes documented bugs in nRF7002 implementation.
CONFIG_WIFI_NRF700X=y
CONFIG_NET_L2_ETHERNET=y

# Include WPA Supplement. Requires POSIX_API & NET_SOCKETS.
CONFIG_WPA_SUPP=y

# Required to prevent error in \wifi\nrf700x\zephyr\src\shim.c:14:10: fatal error: sys/time.h: No such file or directory
CONFIG_NEWLIB_LIBC=y
CONFIG_NEWLIB_LIBC_NANO=n

# Required to prevent undefined reference to `z_impl_sys_rand32_get'
CONFIG_ENTROPY_GENERATOR=y
CONFIG_TEST_RANDOM_GENERATOR=y

# printing of scan results puts pressure on queues in new locking
# design in net_mgmt. So, use a higher timeout for a crowded
# environment.
CONFIG_NET_MGMT_EVENT_QUEUE_TIMEOUT=5000

CONFIG_DEBUG_THREAD_INFO=y
CONFIG_DEBUG_OPTIMIZATIONS=y

Thanks in advance!

Parents Reply
  • I have the same problem : but the change to the CC3XX isn't working for me (breaks the build) - I'm using NCS 2.8 - what version did you test on?

    What is the Nordic recommendation to getting https to work? I would also note that the flash space required for mbedtls and associated code (wifi WPA supp for example) is bloated, and causing me serious issues on nrf5340.... A prj.conf 'minimal TLS 1.2' example that will work for 4K RSA certificate (very common on the web services now) would be very useful!

Children
Related