AWS Device Qualifications Fails

Hi Alexey,

This seems related to TLS_PEER_VERIFY.

Are you able to check if this socket option is enabled in your codes?

Best regards,

Charlie

Hi Charlie,

Yeh, it is enabled. And other tests, for instance, "TLS Incorrect Subject Name Server Cert" and "TLS Unsecure Server Cert" are green.

Hi Alexey,

Thanks for the clarification.

Are you able to share a modem trace recording and its log printout when you do this kind of test?

This will help us to understand what happened when this TLS Expired Server Certificate test failed.

Best regards,

Charlie

Hi Charlie,

Finally, I managed to collect traces. We updated SDK version to v2.6.1

The issue is still there. I've attached traces of 2 runs
But this is a screenshot that shows that the server certificate is expired for sure, but connection was established(((

1.zip

2.zip

Hi Alexey,

Thanks for sharing. I just figure out that this is a limitation of MFW as you can find in the release notes from nRF9160 DK - Downloads - nordicsemi.com.

- Server certificate expiry time is not verified.

I need to check with our development team for a detailed reason and will update to you later.

Best regards,

Charlie

Thanks for pointing me to the release notes. I would appreciate it if it could be possible to change.

BR,

Alexey

Thanks for pointing me to the release notes. I would appreciate it if it could be possible to change.

BR,

Alexey

Hi Alexey,

According to our modem development team, this feature has infrastructure available inside modem, but it needs the correct time and date source as input for validity check. This source is not decided yet, and it could be GNSS or LTE network or others, but this will increase memory usage and power consumption, so we put this feature as a limitation by now.

Modem's TLS stack keep server certificates in internal memory of the modem, so application cannot access them. If application want to access server certificates, TLS stack must be on application side. In this case, the application would open TCP socket and pass TLS records between application side TLS stack and modem TCP socket. Application must have knowledge of time and date in this case.

I also notice from the screenshot that the server certificate chain size is about 5K. This is beyond another limitation in release notes. 

- Maximum server certificate chain size has a limit of 4kB.

Overall, due to limited resource and low power requirement as cellular IoT device, nRF91 Modem has several limitations may affect your application development.

Best regards,

Charlie

Thank you a lot for such a great explanation. I think it is ok for now and thank you for the tip on how it can be overcome with SSL on the app side.

BR,
Alexey