nRF7002DK and TLS Sockets -7100 error

Hey everyone,

We have been struggling to get our nRF7002DK connected to any HTTPS server. We've stripped back our evaluation setup to use "google.com" with the example "globalsign_r1" cert and are still running into the same -7100 TLS handshake error. This project is compiled using NCS v2.4.0.

Our evaluation code is based on the WiFi Shell example and pulls in code from other samples. After we have successfully connected to a WiFi network, the device goes through the following routine:

  • We retrieve and set the system time using the SNTP and POSIX clocks modules. This always works fine.
  • We use the DNS resolver module to populate the addr_info struct for "google.com"
  • Afterwards we successfully allocate the socket in the fd table, register credentials with the TLS module, and give the cert data to the socket.
  • We call "connect" on the socket. This always fails with the -7100 error.
  • If the connection succeeded, we would send one HTTPS request.

Here's our console output.

uart:~$ Server time is: 1686687543
[00:00:16.668,304] <dbg> net_sock: zsock_socket_internal: (main): socket: ctx=0x20005aa4, fd=7
[00:00:16.668,487] <inf> wifi: Sending SNTP IPv4 request...
[00:00:16.721,160] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fb2c, st=0, user_data=(nil)
[00:00:16.721,282] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fb6c, st=0, user_data=(nil)
[00:00:16.721,862] <inf> wifi: status: 0
[00:00:16.721,862] <inf> wifi: time since Epoch: high word: 0, low word: 1686687543
[00:00:16.721,893] <dbg> net_sock: z_impl_zsock_close: (main): close: ctx=0x20005aa4, fd=7
uart:~$ Current time is now: Tue Jun 13 20:19:05 2023

print_addrinfo_results v4: 1 v6: 2 UNS: 0
ipFamily 47568
ipFamily 1
IPv4: 142.251.40.238
[00:00:23.747,100] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fb2c, st=0, user_data=(nil)
[00:00:23.747,375] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100
[00:00:23.747,467] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -103
Connecting to HTTP Server:
[00:00:23.756,805] <dbg> net_sock_tls: tls_alloc: (main): Allocated TLS context, 0x20001bd0
[00:00:23.757,049] <dbg> net_sock: zsock_socket_internal: (main): socket: ctx=0x20005aa4, fd=8
[00:00:23.788,269] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004faec, st=0, user_data=(nil)
[00:00:23.895,202] <dbg> net_sock: zsock_recv_stream: (main): NULL return from fifo
[00:00:23.924,316] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fb6c, st=0, user_data=(nil)
[00:00:23.933,197] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004faec, st=0, user_data=(nil)
[00:00:23.934,844] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fb6c, st=0, user_data=(nil)
[00:00:23.937,133] <err> net_sock_tls: TLS handshake error: -7100
[00:00:23.938,537] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004faac, st=0, user_data=(nil)
[00:00:23.939,849] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004faec, st=0, user_data=(nil)
[00:00:23.942,199] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fa6c, st=0, user_data=(nil)
[00:00:23.942,932] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004faac, st=0, user_data=(nil)
[00:00:23.945,892] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004fa2c, st=0, user_data=(nil)
[00:00:23.946,594] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fa6c, st=0, user_data=(nil)
[00:00:23.948,211] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004f9ec, st=0, user_data=(nil)
[00:00:23.948,944] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004fa2c, st=0, user_data=(nil)
[00:00:23.950,225] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x20005964, pkt=0x2004f9ac, st=0, user_data=(nil)
[00:00:23.950,866] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20005aa4, pkt=0x2004f9ec, st=0, user_data=(nil)
uart:~$ http_client_req() failed?, err -5

Here's a code snippet corresponding to the console output, in case it is helpful.

k_sleep(K_SECONDS(2));
set_time(); // This function uses the Zephyr SNTP module to open an HTTP socket and retrieve a valid system time.
// The socket is closed afterwards.
k_sleep(K_SECONDS(2));
print_time();
k_sleep(K_SECONDS(5));

int sock;
int err;
struct sockaddr_in *sa;
struct addrinfo *rp;

nslookup("google.com", &rp); // This function is from the "http_get" sample, it performs a DNS lookup for "google.com" and formats the address.

print_addrinfo_results(&rp);

printk("Connecting to HTTP Server:\n");

// Load in the TLS cert for HTTPS
tls_credential_add(CA_CERTIFICATE_TAG, TLS_CREDENTIAL_CA_CERTIFICATE,
                    ca_certificate, sizeof(ca_certificate));

                
// Create Socket
sock = socket(rp->ai_family, rp->ai_socktype, IPPROTO_TLS_1_2); // IPPROTO_TCP //IPPROTO_TLS_1_2
if (sock < 0)
{
    printk("Error creating socket\n");
    return (-1);
}
               
// TLS settings
sec_tag_t sec_tag_opt[] = {
    CA_CERTIFICATE_TAG,
};

err = setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST,
    sec_tag_opt, sizeof(sec_tag_opt));
                
if (err < 0)
{
    LOG_ERR("Failed to set TLS security TAG list. Err: %d", errno);
    (void)close(sock);
    return -errno;
}

err = setsockopt(sock, SOL_TLS, TLS_HOSTNAME,
                                 HTTP_HOST, sizeof(HTTP_HOST));
if (err < 0)
{
    LOG_ERR("Failed to set TLS_HOSTNAME option. Err: %d", errno);
    (void)close(sock);
    return -errno;
}

// Iterate through until we get a successful connection
for (; rp != NULL; rp = rp->ai_next)
{
    if (rp->ai_addr->sa_family == AF_INET)
    {
        // IPv4 Address
        sa = (struct sockaddr_in *)rp->ai_addr;
        sa->sin_port = htons(443);
        connect(sock, (struct sockaddr *)sa, sizeof(struct sockaddr_in)); // This function appears to throw the -7100 error.
        if (sock > 0)
            break;
    }
}

k_sleep(K_SECONDS(5));
        
http_get(sock, HTTP_HOST, "/");

k_sleep(K_SECONDS(1));

close(sock);

k_sleep(K_FOREVER);

Here's our prj.conf. We don't use any additional overlays.

# WiFi Console Support.
CONFIG_EARLY_CONSOLE=y

# Network buffers
CONFIG_NET_MAX_CONTEXTS=6
CONFIG_NET_PKT_RX_COUNT=16
CONFIG_NET_PKT_TX_COUNT=16
CONFIG_NET_BUF_RX_COUNT=80
CONFIG_NET_BUF_TX_COUNT=80
CONFIG_NET_BUF_DATA_SIZE=512
CONFIG_HEAP_MEM_POOL_SIZE=120000
CONFIG_NET_TC_TX_COUNT=0

CONFIG_INIT_STACKS=y

CONFIG_NET_SHELL=y

CONFIG_NET_STATISTICS=y
CONFIG_NET_STATISTICS_PERIODIC_OUTPUT=n

# Networking
CONFIG_WIFI=y
CONFIG_WIFI_LOG_LEVEL_ERR=y
CONFIG_NET_L2_WIFI_SHELL=y
CONFIG_NET_CONFIG_SETTINGS=y
CONFIG_NETWORKING=y
CONFIG_NET_LOG=y
CONFIG_NET_IPV6=n
CONFIG_NET_IPV4=y
CONFIG_NET_UDP=y
CONFIG_NET_TCP=y
CONFIG_NET_DHCPV4=y

CONFIG_NET_IF_UNICAST_IPV4_ADDR_COUNT=1
CONFIG_NET_CONTEXT_SYNC_RECV=y

CONFIG_DNS_RESOLVER=y
CONFIG_JSON_LIBRARY=y

# Memories
CONFIG_MAIN_STACK_SIZE=8192
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096
CONFIG_NET_TX_STACK_SIZE=4096
CONFIG_NET_RX_STACK_SIZE=4096

CONFIG_IDLE_STACK_SIZE=640
CONFIG_ISR_STACK_SIZE=4096
CONFIG_SHELL_STACK_SIZE=4096

# Debugging
CONFIG_STACK_SENTINEL=y
CONFIG_DEBUG_COREDUMP=y
CONFIG_DEBUG_COREDUMP_BACKEND_LOGGING=y
CONFIG_DEBUG_COREDUMP_MEMORY_DUMP_MIN=y
CONFIG_SHELL_CMDS_RESIZE=n

CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=y
CONFIG_NET_DEBUG_NET_PKT_ALLOC=y
CONFIG_NET_BUF_POOL_USAGE=y
CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_MBEDTLS_DEBUG_LEVEL=4

# Logging
CONFIG_LOG=y
CONFIG_LOG_BUFFER_SIZE=2048
CONFIG_POSIX_CLOCK=y
#CONFIG_LOG_DEFAULT_LEVEL=4

# HTTP
CONFIG_HTTP_CLIENT=y

# Websockets Support.
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
# TLS networking
CONFIG_POSIX_MAX_FDS=16
CONFIG_NET_SOCKETS_ENABLE_DTLS=n
CONFIG_NET_SOCKETS_TLS_MAX_CIPHERSUITES=16
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
CONFIG_TLS_CREDENTIALS=y

# mbed TLS and security
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PK_C=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=32768
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=2304
CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=2304
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_NRF_SECURITY_ADVANCED=y
CONFIG_MBEDTLS_CIPHER=y
CONFIG_MBEDTLS_CIPHER_ALL_ENABLED=y

# SNTP Support.
CONFIG_SNTP=y

# Glue - Fixes documented bugs in nRF7002 implementation.
CONFIG_WIFI_NRF700X=y
CONFIG_NET_L2_ETHERNET=y

# Include WPA Supplement. Requires POSIX_API & NET_SOCKETS.
CONFIG_WPA_SUPP=y

# Required to prevent error in \wifi\nrf700x\zephyr\src\shim.c:14:10: fatal error: sys/time.h: No such file or directory
CONFIG_NEWLIB_LIBC=y
CONFIG_NEWLIB_LIBC_NANO=n

# Required to prevent undefined reference to `z_impl_sys_rand32_get'
CONFIG_ENTROPY_GENERATOR=y
CONFIG_TEST_RANDOM_GENERATOR=y

# printing of scan results puts pressure on queues in new locking
# design in net_mgmt. So, use a higher timeout for a crowded
# environment.
CONFIG_NET_MGMT_EVENT_QUEUE_TIMEOUT=5000

CONFIG_DEBUG_THREAD_INFO=y
CONFIG_DEBUG_OPTIMIZATIONS=y

Thanks in advance!

  • Hi guys 

    Glad to hear you got it working Jeremy Slight smile

    The crypto experts are still discussing this. The assumption was that the CC312 backend did not support 4096 bit keys, and that is why the Oberon backend was enabled instead. It seems the CC312 do indeed support various 4096 bit key operations, it is just key generation that is limited to 3072 bits. Why Oberon doesn't work is not properly understood yet. 

    We might have to continue this discussion over the summer as a lot of people are on vacation at the moment, but we will try to get to the bottom of this eventually. 

    erichotterbeefcurry said:
    but am still getting a http_client_req() failed?, err 40 (which is Lv3 Reset...?)

    I think this is just an inconsistency in the application. A positive return from the http_client_req() function is actually not an error, it just tells you how many bytes were returned. A negative value would indicate an error. 

    Best regards
    Torbjørn

  • Hi Torbjoin, ah ok I didn't realize the client request can return positive values too. Thank you and the team so much for working on top of this! Do you mind elaborating more on why I got the 301 request error, "Moved Permanently"? I suppose that meant we made a HTTPS connection to Google but something went wrong, and it sounds like Jeremy didn't get this request error.

    -Best,

    Eric

  • I've changed it to hit an azurewebsites.net domain instead of google.com and I am running into this issue

    <err> net_sock_tls: TLS handshake error: -2700

    I tried keeping the `globalsign_r1.der` then I tried to get the wildcard cert for `*.azurewebsites.net` and converetd it into a der from a pem with

    `openssl x509 -in ./azurewebsites.pem -out azurewebsites.der -outform DER`

    Updated CMakeList.txt and ca_certificate.h for the change in cert

    But still got the -2700 error.

    Is there any more information on how that .der certificate should be generated? is it site specific? of is this -2700 error something unrelated?

  • I ended up digging into it a little further, the cert needs to be the cert for the root CA and not for the domain, So i was able to get the cert for `DigiCertGlobalRootG2` which signed the `*.azurewebsites.net` certificate, converted it into the der format, using command mentioned above and now I get data back from the azure site.

  • I was able to make HTTPS request too! I followed Kyle's steps where I had to convert my .pem to .der using openssh and I had to add an authroziation bearer token with my GET request, but I was able to correctly receive response from both Google and our internal server. Thanks Nordic folks for keep working on this!

Related