• State Not Answered
  • Replies 8 replies
  • Subscribers 63 subscribers
  • Views 170 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 325529
Options

HTTPS without T-FM and PSA

Daniel Figueira

Hello,

We are currently developing a WiFi library and just started on implementing HTTPS and ran into some issues. Since we don't have enough flash and memory for using the T-FM image, we decided to work on the secure build (without *ns).

As such we tried to get the exercise 'wififund_less5_exer2' running without PSA and T-FM, and using the CONFIG_WIFI_CREDENTIALS_BACKEND_SETTINGS as backend.

Unfortunately we always get the same error when calling connect():

[00:00:35.491,699] <inf> Lesson5_Exercise2: Network connected
[00:00:36.076,354] <inf> Lesson5_Exercise2: IPv4 address of HTTP server found 18.238.243.52
[00:00:36.100,402] <err> Lesson5_Exercise2: Connecting to server failed, err: 22, Invalid argument
[00:00:36.100,402] <err> Lesson5_Exercise2: Failed to initialize client


Which is exactly the same problem we're getting in our library.

Is it somehow possible to get HTTPS working without T-FM and PSA, using a different crypto? Or is it limited by the hardware/kernel?

Best regards,
Daniel Figueira

Parents
  • 0

    Hi once again.

    Maybe just to clarify, my end goal is to be able to perform HTTPS requests without the use of TF-M (previously I was unaware I could use PSA without TF-M) - ultimately we basically want to send data through HTTPS to an AWS server.

    With the HTTPS_client sample configs you provided I guess it is now proven that having HTTPS without TF-M can be done (which was not covered by the Wifi Fundamental tutorials)...

    However, after following your advice on how to download the certificates I needed through my web browser, I seem unable to use the HTTPS_client sample to connect to any server I tried except for "example.com" and "echo.thingy.rocks" (which I managed to connect to after updating the version of the certificate I previously had).

    For any other well-known addresses out there, like 'google.com' for instance, I always get a ECONNABORTED error (113) with no further details, even though I'm using the certificates provided by my browser.

    After reading a bit on other tickets about the subject I tried to disable peer validation but still wasn't able to connect to 'google.com' which now leads me to wander if it might be somehow related to the cyphers I'm using (as suggested in the reply to: https://devzone.nordicsemi.com/f/nordic-q-a/68229/nrf9160-unable-to-disable-certificate-validation-when-connecting-to-https).

    I'd appreciate some more help with this issue.

    Best regards,
    Daniel

Reply
  • 0

    Hi once again.

    Maybe just to clarify, my end goal is to be able to perform HTTPS requests without the use of TF-M (previously I was unaware I could use PSA without TF-M) - ultimately we basically want to send data through HTTPS to an AWS server.

    With the HTTPS_client sample configs you provided I guess it is now proven that having HTTPS without TF-M can be done (which was not covered by the Wifi Fundamental tutorials)...

    However, after following your advice on how to download the certificates I needed through my web browser, I seem unable to use the HTTPS_client sample to connect to any server I tried except for "example.com" and "echo.thingy.rocks" (which I managed to connect to after updating the version of the certificate I previously had).

    For any other well-known addresses out there, like 'google.com' for instance, I always get a ECONNABORTED error (113) with no further details, even though I'm using the certificates provided by my browser.

    After reading a bit on other tickets about the subject I tried to disable peer validation but still wasn't able to connect to 'google.com' which now leads me to wander if it might be somehow related to the cyphers I'm using (as suggested in the reply to: https://devzone.nordicsemi.com/f/nordic-q-a/68229/nrf9160-unable-to-disable-certificate-validation-when-connecting-to-https).

    I'd appreciate some more help with this issue.

    Best regards,
    Daniel

Children
  • 0 in reply to Daniel Figueira

    What you need is to read up on Certificate Authorities (CAs).

    I will try to sum it up: Webpages are signed with a cert. You can use a public key to verify the signature. But you must trust the signer, so the signer is always a CA.

    The key you put on the device to trust the page is a CA public key.

    All webpages do not have the same CA, so if you connect to two pages with different CAs, you will need different CA keys. Web browsers have a lot of CA keys in them for this reason.

    For the nRF9160, you usually only need to connect to a handful of web pages for a product, so it is in most cases enough one CA key.

    Disclaimer: I am probably not 100% correct, so I suggest you read on this from some more knowledgable source on the web

    Did this make sense?

Related