https_client certificate change: "Certificate mismatch" error

nRF Connect VS Code Extension (v2.7.0); Windows; nRF9160DK; https_client example application

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hello,

I am currently working with the Nordic nRF9160DK and am using the https_client example from the examples in the nRF Connect via VS Code, and as far as I know it is the latest release (v2.7.0). I have already successfully established a connection with example.com and was able to send/receive data. However, I am having some issues when attempting to change the certificate. I am attempting to connect to dweet.io, and when running the demo, I receive an output which says "Certificate mismatch" and "err: 111" (see image below):

I made the following changes to the source code based on what seemed like it had needed changing and based on previous DevZone posts I have seen with similar issues. I linked the main issue that I followed here:  changing certificate in https_client sample  

I also referenced the following documentation: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/libraries/modem/modem_key_mgmt.html#cert-dwload 

Added the .pem file (filename dweet.io.pem) in the /cert directory, as well as added "...\n":

Updated the certificate definition in main.c:

Changed HTTPS_HOSTNAME in kconfig:

Any help in resolving this issue would be greatly appreciated.

Parents Reply Children
  • Thank you for the information.

    The 2kB limitation is inside the modem itself and cannot be changed, unfortunately.

    Do you know if this is specific to the 9160DK board or if this limit is for any device that is using the nRF9160 chip for development?

  • The nRF9160 SiP is an Arm Cortex M33 which includes an application core and a modem. The limit is inside of the LTE modem, which means all nRF91-series are currently limited by this 2kB limit. 

    From the modem FW release notes:

    *** Limitations
    ***************
    - TLS/DTLS
        - Secure socket buffer size is 2kB.
        - Maximum length of DTLS datagram is 1kB.
        - One TLS handshake at a time is supported.
        - Concurrent secure connections
            - Maximum server certificate chain size has a limit of 4kB.
            - Two active connections are supported when serialized DTLS connection exists.
            - Two active connections are supported when client certificate size is over 1kB.
            - Two active connections are supported when GNSS acquisition is active.
            - Three active connections are supported when client certificate size is 1kB or less.
            - Four serialized DTLS connections are supported.
        - Server certificate expiry time is not verified.
        - pkcs#8 is not supported.
        - Maximum number of supported credentials is 32. The actual amount depends on size of
          credentials as memory area reserved for credentials may be a limiting factor as well.
     


    The issue can easily be worked around by ensuring that you use correct certificate size which are designed for IoT devices and not PC/browsers.

  • Hello, I am using nrf9160 dev kit and hosted sample file in github.com and trying to download file using http download example. I am getting http connect error -111. Looks like its certificate error. What are the steps to generate certificates(size should be < 2kb) for this site: raw.githubusercontent.com/.../README.txt

Related