• State Not Answered
  • Replies 28 replies
  • Subscribers 69 subscribers
  • Views 1820 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 329637
Options

nRF Connect SDK v2.6.1 - https_client works for example.com but not other hosts such as google.com

jchen2024

With nRF7002DK and TF-M (nrf7002dk_nrf5340_cpuapp_ns.conf) configuration, the sample project works for example.com:

*** Booting nRF Connect SDK v3.5.99-ncs1-1 ***
HTTPS client sample started
Bringing network interface up
Provisioning certificate
Connecting to the network
[00:00:04.949,981] <inf> wifi_mgmt_ext: Connection requested
[00:00:09.183,044] <inf> net_dhcpv4: Received: 192.168.101.16
Network connectivity established and IP address assigned
Looking up example.com
Resolved 93.184.215.14 (AF_INET)
Connecting to example.com:443
Sent 61 bytes
Received 377 bytes

> HTTP/1.1 200 OK

Finished, closing socket.
Network connectivity lost
Disconnected from the network

However, replace the host with google.com and its associated CA:

[00:00:45.647,186] <inf> wifi_mgmt_ext: Connection requested
[00:00:49.878,845] <inf> net_dhcpv4: Received: 192.168.101.16
Network connectivity established and IP address assigned
Looking up google.com
Resolved 142.250.191.206 (AF_INET)
Connecting to google.com:443
connect() failed, err (22): Invalid argument
Network connectivity lost
Disconnected from the network

  • 0 in reply to jchen2024

    It is great to be able to connect to Google.com with tls sockets. When I try connecting to amazon or auth0, the connection still failed. It may have something to do with the encryption algorithms or cipher suites. Both google.com and example.com uses "PKCS #1 SHA-256 With RSA Encryption" for certification signature, auth0 uses "X9.62 ECDSA Signature with SHA-384". 

  • 0 in reply to jchen2024
    jchen2024 said:
    Yes. With www.google.com. I got 200 OK:

    That is good

    jchen2024 said:
    auth0 uses "X9.62 ECDSA Signature with SHA-384

    You could try with the Kconfig flag https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html#CONFIG_PSA_WANT_ALG_SHA_384 

    Regards

    Runar

  • 0

    From Ji Chen:

    I set up a wifi hotspot on another PC and captured the traffic between the devkit and the hotspot to get more ideas on the tls handshake message exchanges. It seems that everything works till the point devkit had received the certificate. The devkit failed to process the certificate and reset the connection.

     

    We also set up another endpoint or url with Azure. That failed at almost the same spot after receiving the certificate from the Azure host.

     

    Is there a way to log more errors/debug messages in mbedtls?

     

    Here are the error messages for Azure host:

     

    [00:00:07.855,133] <inf> net_dhcpv4: Received: 192.168.137.214

    [00:00:07.855,346] <inf> net_config: IPv4 address: 192.168.137.214

    [00:00:07.855,346] <inf> net_config: Lease time: 604800 seconds

    [00:00:07.855,377] <inf> net_config: Subnet: 255.255.255.0

    [00:00:07.855,438] <inf> net_config: Router: 192.168.137.1

    [00:00:07.855,651] <inf> https_client_v261: Network connectivity established and IP address assigned

    [00:00:07.856,384] <inf> https_client_v261: Looking up <EDIT>

    [00:00:08.274,078] <inf> https_client_v261: Resolved <EDIT> (AF_INET) and port: 443 and protocol 6

    [00:00:08.274,139] <inf> https_client_v261: SAMPLE_TFM_MBEDTLS not enabled

    [00:00:08.274,566] <inf> https_client_v261: Connecting to <EDIT>

    [00:00:08.602,630] <err> net_sock_tls: TLS handshake error: -0x7080

    [00:00:08.602,966] <err> https_client_v261: connect() failed, err: 113

    [00:00:08.624,969] <err> net_tcp: conn: 0x20057984, new bytes 441 during TIME-WAIT state send

     

    Or with the terminal:

  • 0 in reply to MJJ

    Additional information on the TLS network traffic capture, example.com and www.google.com have smaller sizes (<4k) certificates while auth0 or azure have certificates larger than 4k bytes. Is there a way to find out if the buffer is too small in mbedtls to process the larger certificates. 

  • 0 in reply to jchen2024

    Hi,

    I am sorry for the delay. Have you had any progress on this on your end?

    Br,

    Einar

Related