nRF Connect SDK v2.6.1 - https_client works for example.com but not other hosts such as google.com

I reviewed a similar question for an older version:  Cannot use the https_client sample with a hostname other than example.com . Was there a fix for that. Should I try non TF-M build and replace the default cipher suite?

Hi  Ji

I'm looking into your issue and will get back to you tomorrow when I have had the time to look into it

Regards

Runar

I expect the issue is related to the following. 

Obtaining a certificate

The sample connects to www.example.com, which requires an X.509 certificate. This certificate is provided in the samples/net/https_client/cert folder. The certificate is automatically converted to a HEX format in the CMakeLists.txt file. The generated .inc file is then included in the code, where it is provisioned to the modem.

To connect to other servers, you might need to provision a different certificate. See Certificates for more information.

Regards

Runar

Yes. I did export the certificate from google.com. Here is the file content:

-----BEGIN CERTIFICATE-----
MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo
27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w
Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw
TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl
qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH
szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8
Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk
MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p
aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN
VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID
AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb
C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe
QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy
h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4
7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J
ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef
MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/
Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT
6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ
0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm
2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb
bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
-----END CERTIFICATE-----

The error I got was with this certificate.

Hi

Could you try this

The issue was fixed by setting CONFIG_MBEDTLS_MPI_MAX_SIZE to 512.

• The Kconfig variable is the mbedTLS internal buffer size.
• The nRF Security default is 384 / 256.
• Google uses a RSA 4096 bits key, which is 512 byte buffer.
• When mbedTLS finds that the internal buffer is inadequate to store the RSA key, it reports error.

The option is specified in file 'ncs/nrf/subsys/nrf_security/Kconfig.legacy'.

config MBEDTLS_MPI_MAX_SIZE
	int
	prompt "Maximum number of bytes for usable MPIs." if !(CC312_BACKEND || CC310_BACKEND)
	default 256 if CC310_BACKEND
	default 384 if CC312_BACKEND
	range 256 2048

Regards

Runar

Hi

Could you try this

The issue was fixed by setting CONFIG_MBEDTLS_MPI_MAX_SIZE to 512.

• The Kconfig variable is the mbedTLS internal buffer size.
• The nRF Security default is 384 / 256.
• Google uses a RSA 4096 bits key, which is 512 byte buffer.
• When mbedTLS finds that the internal buffer is inadequate to store the RSA key, it reports error.

The option is specified in file 'ncs/nrf/subsys/nrf_security/Kconfig.legacy'.

config MBEDTLS_MPI_MAX_SIZE
	int
	prompt "Maximum number of bytes for usable MPIs." if !(CC312_BACKEND || CC310_BACKEND)
	default 256 if CC310_BACKEND
	default 384 if CC312_BACKEND
	range 256 2048

Regards

Runar

Thanks for the suggestion! The error has changed to this:

[00:00:02.171,966] <inf> wifi_mgmt_ext: Connection requested
[00:00:06.409,637] <inf> net_dhcpv4: Received: 192.168.101.16
Network connectivity established and IP address assigned
Looking up google.com
Resolved 142.250.191.206 (AF_INET)
Connecting to google.com:443
Sent 60 bytes
Received 631 bytes

> HTTP/1.1 301 Moved Permanently

Finished, closing socket.
Network connectivity lost
Disconnected from the network

Not sure why google.com is not happy about the HEAD message, which is typically just show the response size for GET. What response did you get?

Hi 

On my end I only got error 113 so i need to dig a bit more

Regards

Runar

Here excerpts from the unified diff my changes in main.c:

/* Null terminate certificate if running Mbed TLS on the application core.
* Required by TLS credentials API.
@@ -133,7 +190,7 @@ int tls_setup(int fd)
REQUIRED = 2,
};

- verify = REQUIRED;
+ verify = NONE;

@@ -295,6 +352,12 @@ clean_up:
int main(void)
{
int err;
+ struct timeval tv;
+
+ // tv.tv_sec = (long long)1720188274;
+ tv.tv_sec = (long long)1720630997;
+
+ clock_settime(CLOCK_REALTIME, &tv);

I added the set time to make sure that the date is good for the certificates if it is used.

Hi

Could you try change from google.com to www.google.com?

Regards

Runar

Yes. With www.google.com. I got 200 OK:

*** Booting nRF Connect SDK v3.5.99-ncs1-1 ***
HTTPS client sample started
Bringing network interface up
Provisioning certificate
Connecting to the network
[00:00:04.977,996] <inf> wifi_mgmt_ext: Connection requested
[00:00:09.221,099] <inf> net_dhcpv4: Received: 192.168.101.16
Network connectivity established and IP address assigned
Looking up www.google.com
Resolved 142.250.191.196 (AF_INET)
Connecting to www.google.com:443
Sent 64 bytes
Received 1091 bytes

> HTTP/1.1 200 OK

Finished, closing socket.
Network connectivity lost
Disconnected from the network