• State Verified Answer
  • Replies 7 replies
  • Subscribers 93 subscribers
  • Views 2071 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 334356
Options

Issue with TLS on nRF7002DK

esisk

I believe I'm having a similar issue to this ticket  nRF7002DK and TLS Sockets -7100 error 

[00:00:23.640,411] <err> net_sock_tls: TLS handshake error: -0x2700
[00:00:23.649,475] <err> mqtt_helper: mqtt_connect, error: -113
[00:00:23.649,475] <err> aws_iot: mqtt_helper_connect, error: -113
[00:00:23.649,475] <err> beacon_v3: aws_iot_connect, error: -113

I'm trying to connect to AWS IoT Core with an nRF7002DK by basing my work on the AWS IoT sample. I'm building the project for the nrf7002dk/nrf5340/cpuapp/ns target with NCS version 2.7.0. I'm adding the AWS Root CA 1 like this

err = tls_credential_add(CONFIG_MQTT_HELPER_SEC_TAG, TLS_CREDENTIAL_CA_CERTIFICATE,
				 ca_certificate, sizeof(ca_certificate));
	if (err < 0) {
		LOG_ERR("Failed to register public certificate: %d", err);
		return err;
	}

and the certificate is defined in a header file like this:

static const unsigned char ca_certificate[] = { \
"-----BEGIN CERTIFICATE-----\n"\
"MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF\n" \
"ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6\n" \
"b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL\n" \
"MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv\n" \
"b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj\n" \
"ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM\n" \
"9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw\n" \
"IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6\n" \
"VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L\n" \
"93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm\n" \
"jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n" \
"AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA\n" \
"A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI\n" \
"U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs\n" \
"N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv\n" \
"o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU\n" \
"5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy\n" \
"rqXRfboQnoZsG4q5WTP468SQvvG5\n" \
"-----END CERTIFICATE-----"
};

so I'm pretty sure it's not an issue of the certificate being wrong. I'm also adding the private key and device certificate.

My prj.conf file is

# CONFIG_HEAP_MEM_POOL_SIZE=120000
CONFIG_WIFI=y
CONFIG_WIFI_NRF700X=y
# CONFIG_WIFI_MGMT_EXT=y
CONFIG_WIFI_CREDENTIALS=y

CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
# WPA supplicant
CONFIG_WPA_SUPP=y
# Networking
CONFIG_NETWORKING=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_BASE64=y
CONFIG_MQTT_LIB_TLS=y
CONFIG_AWS_IOT=y
CONFIG_AWS_IOT_CLIENT_ID_STATIC="test-bcn3"
CONFIG_AWS_IOT_BROKER_HOST_NAME="sample.com"
# CONFIG_AWS_IOT_SEC_TAG=1
CONFIG_MQTT_HELPER_SEC_TAG=200
CONFIG_MQTT_HELPER_PROVISION_CERTIFICATES=n
CONFIG_NET_LOG=n
CONFIG_NET_IPV4=y
CONFIG_NET_UDP=y
CONFIG_NET_TCP=y
CONFIG_NET_DHCPV4=y
# Networking
CONFIG_NETWORKING=y
CONFIG_NET_NATIVE=y
CONFIG_NET_L2_PPP=y
CONFIG_NET_IPV4=y
CONFIG_NET_UDP=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_CONTEXT_RCVTIMEO=y
CONFIG_NET_INTERFACE_NAME=y
# DNS
CONFIG_DNS_RESOLVER=y
CONFIG_NET_L2_PPP_OPTION_DNS_USE=y

# Network management
CONFIG_NET_MGMT=y
CONFIG_NET_MGMT_EVENT=y
CONFIG_NET_CONNECTION_MANAGER=y

CONFIG_NET_IF_UNICAST_IPV4_ADDR_COUNT=2
CONFIG_NET_MAX_CONTEXTS=8
CONFIG_NET_CONTEXT_SYNC_RECV=y

CONFIG_INIT_STACKS=y

CONFIG_NET_L2_ETHERNET=y

CONFIG_NET_CONFIG_SETTINGS=y
CONFIG_NET_CONFIG_INIT_TIMEOUT=0

CONFIG_NET_SOCKETS_POLL_MAX=10

# Memories
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_NET_TX_STACK_SIZE=4096
CONFIG_NET_RX_STACK_SIZE=4096

# Kernel options
CONFIG_ENTROPY_GENERATOR=y

# Benchmarking
CONFIG_POSIX_MAX_FDS=16

CONFIG_BT=y
CONFIG_BT_SMP=y
CONFIG_BT_PERIPHERAL=y
CONFIG_BT_CENTRAL=y
CONFIG_BT_MAX_CONN=2

CONFIG_BT_SCAN=y
CONFIG_BT_SCAN_FILTER_ENABLE=y
CONFIG_BT_SCAN_UUID_CNT=1

CONFIG_BT_GATT_CLIENT=y
CONFIG_BT_GATT_DM=y
CONFIG_BT_THROUGHPUT=y

CONFIG_BT_USER_DATA_LEN_UPDATE=y
CONFIG_BT_USER_PHY_UPDATE=y
CONFIG_BT_GAP_AUTO_UPDATE_CONN_PARAMS=n

CONFIG_BT_BUF_ACL_RX_SIZE=502
CONFIG_BT_ATT_PREPARE_COUNT=2
CONFIG_BT_CONN_TX_MAX=10
CONFIG_BT_L2CAP_TX_BUF_COUNT=10
CONFIG_BT_L2CAP_TX_MTU=498
CONFIG_BT_BUF_ACL_TX_SIZE=502
CONFIG_BT_L2CAP_DYNAMIC_CHANNEL=y

CONFIG_NRF700X_MAX_TX_PENDING_QLEN=12
CONFIG_NRF700X_QSPI_LOW_POWER=n

#Added to fix BLE crash in coex enable cases.
CONFIG_NRF_RPC=n
CONFIG_NRF_RPC_CBOR=n

# CONFIG_POSIX_API=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y

# Logging
CONFIG_LOG=y
CONFIG_NET_LOG=y
CONFIG_WIFI_LOG_LEVEL_DBG=y
CONFIG_LOG_DEFAULT_LEVEL=3
CONFIG_BEACON_V3_LOG_LEVEL_INF=y

and my nrf7002dk_nrf5340_cpuapp_ns.conf file is

#
# Copyright (c) 2024 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#
CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
# Using hardware crypto accelerator
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
CONFIG_MBEDTLS_HEAP_SIZE=81920
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
# TLS credentials
CONFIG_TLS_CREDENTIALS_BACKEND_PROTECTED_STORAGE=y
# Native network stack
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=81920
CONFIG_MBEDTLS_RSA_C=y

# NET Sockets
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=2

If I try to implement the workaround in the ticket I referenced above, my project doesn't build due to some config dependency errors. Is this still a known issue? Or was it fixed sometime between 2.4.0 and 2.7.0?

Parents Reply Children
  • 0 in reply to dejans

    Yes I followed all those instructions. I placed the raw .pem files in the certs directory of the AWS IoT Sample, built and ran, and now I get

    [00:00:48.535,827] <err> mqtt_helper: mqtt_connect, error: -2
[00:00:48.544,433] <err> aws_iot: mqtt_helper_connect, error: -2
[00:00:48.553,314] <err> aws_iot_sample: aws_iot_connect, error: -2
[00:00:48.562,438] <err> aws_iot_sample: Fatal error! Rebooting the device.

    Edit: I figured out that I had my CONFIG_MQTT_HELPER_CERTIFICATES_FOLDER variable set incorrectly. However, now I'm getting the same error that I had initially.

  • 0 in reply to esisk

    Hi,

    esisk said:
    However, now I'm getting the same error that I had initially.

    I see that you initially got 

    <err> mqtt_helper: mqtt_connect, error: -113
<err> aws_iot: mqtt_helper_connect, error: -113

    and now you are getting
    <err> mqtt_helper: mqtt_connect, error: -2
<err> aws_iot: mqtt_helper_connect, error: -2

    What do you refer to as "getting the same error"? Could you please clarify this? 

    Could you provide complete log?

    Best regards,
    Dejan


  • 0 in reply to dejans

    By getting the same error, I mean that I'm getting mqtt_connect, error: -113. Here's the entire log:

    *** Booting nRF Connect SDK v2.7.0-5cb85570ca43 ***
*** Using Zephyr OS v3.6.99-100befc70c74 ***
[00:00:00.261,260] <inf> aws_iot_sample: The AWS IoT sample started, version: v1.0.0
[00:00:00.271,636] <inf> aws_iot_sample: Bringing network interface up and connecting to the network
[00:00:00.289,581] <dbg> mqtt_helper: mqtt_helper_poll_loop: Waiting for connection_poll_sem
[00:00:00.338,867] <inf> wifi_mgmt_ext: Connection requested
[00:00:00.354,278] <dbg> mqtt_helper: mqtt_state_set: State transition: MQTT_STATE_UNINIT --> MQTT_STATE_DISCONNECTED
uart:~$ > wifi connect -s ssid -p pw -k 1
wifi connect -s ssid -p pw -k 1
Connection requested
Connected
[00:00:11.434,204] <inf> aws_iot_sample: Network connectivity established
[00:00:16.443,664] <inf> aws_iot_sample: Connecting to AWS IoT
[00:00:16.452,362] <dbg> mqtt_helper: broker_init: Resolving IP address for iot.dev.slatesafety.com
[00:00:16.560,272] <dbg> mqtt_helper: broker_init: IPv4 Address found 52.54.218.138 (AF_INET)
[00:00:16.571,441] <inf> mqtt_helper: Provision cert success
[00:00:16.579,742] <dbg> mqtt_helper: mqtt_state_set: State transition: MQTT_STATE_DISCONNECTED --> MQTT_STATE_TRANSPORT_CONNECTING
[00:00:17.064,300] <err> mqtt_helper: mqtt_connect, error: -113
[00:00:17.073,089] <dbg> mqtt_helper: mqtt_state_set: State transition: MQTT_STATE_TRANSPORT_CONNECTING --> MQTT_STATE_DISCONNECTED
[00:00:17.087,554] <err> aws_iot: mqtt_helper_connect, error: -113
[00:00:17.096,588] <err> aws_iot_sample: aws_iot_connect, error: -113
[00:00:17.105,926] <err> aws_iot_sample: Fatal error! Rebooting the device.

    Looking at the mbedtls Github, I see that -0x2700 means

    /** Certificate verification failed, e.g. CRL, CA or signature check failed. */
#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED               -0x2700

    If I change

    tls_cfg->peer_verify	        = TLS_PEER_VERIFY_REQUIRED;

    to

    tls_cfg->peer_verify	        = TLS_PEER_VERIFY_NONE;

    the sample is able to connect to the MQTT broker successfully. So I know that the issue concerns the CA certificate. I've thought of a few possible root causes:

    1. The CA certificate is formatted incorrectly
    2. My sample is missing some crypto config variable being set
    3. There's not enough heap memory for the TLS operations

    I think 1 is unlikely because I included the raw PEM files in my certs directory. They're formatted the same as my device certificate and private key and I'm able to connect to the server and publish messages.

    I think 3 is unlikely because I have set

    CONFIG_MBEDTLS_HEAP_SIZE=120000

    which should be plenty of space. I'll include the entire config files that I'm using for the AWS IoT sample.

    nrf7002dk_nrf5340_cpuapp_ns.conf

    #
# Copyright (c) 2023 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#

# Configuration file for nRF7002 DK
# This file is merged with prj.conf in the application folder, and options
# set here will take precedence if they are present in both files.

# General
CONFIG_POSIX_CLOCK=y
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096
CONFIG_HEAP_MEM_POOL_SIZE=81920
CONFIG_LOG_MODE_IMMEDIATE=y
CONFIG_HW_STACK_PROTECTION=y
CONFIG_HW_ID_LIBRARY_SOURCE_NET_MAC=y
CONFIG_POSIX_MAX_FDS=25

# Optimize Wi-Fi stack to save some memory
CONFIG_NRF700X_RX_NUM_BUFS=16
CONFIG_NRF700X_MAX_TX_AGGREGATION=4

# Wi-Fi
CONFIG_WIFI=y
CONFIG_WIFI_NRF700X=y
CONFIG_WIFI_MGMT_EXT=y
CONFIG_WIFI_CREDENTIALS=y
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y

# Shell
CONFIG_SHELL=y
CONFIG_SHELL_STACK_SIZE=6144

# WPA
CONFIG_WPA_SUPP=y

# NET sockets
CONFIG_NET_L2_ETHERNET=y
CONFIG_NET_UDP=y
CONFIG_NET_TCP=y
CONFIG_NET_SOCKETS_OFFLOAD=n
CONFIG_NET_DHCPV4=y
CONFIG_NET_CONTEXT_SNDTIMEO=y
CONFIG_NET_CONTEXT_RCVTIMEO=y
CONFIG_NET_RX_STACK_SIZE=2048

# DNS
CONFIG_DNS_RESOLVER=y
CONFIG_NET_SOCKETS_DNS_TIMEOUT=30000

# Make the MQTT helper library provision credentials prior to establishing a TLS connection.
# Credentials needs to be pasted into their respective entry under samples/net/aws_iot/certs/.
CONFIG_MQTT_HELPER_PROVISION_CERTIFICATES=y

# Native network stack
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=120000
CONFIG_MBEDTLS_RSA_C=y

# NET Sockets
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=2

# Zephyr NET Connection Manager Connectivity layer.
CONFIG_L2_WIFI_CONNECTIVITY=y
CONFIG_L2_WIFI_CONNECTIVITY_AUTO_CONNECT=n
CONFIG_L2_WIFI_CONNECTIVITY_AUTO_DOWN=n

# Serial Peripheral Interface (SPI) - Used to communicate with the mx25r64 external flash memory.
CONFIG_SPI=y
CONFIG_SPI_NOR=y
CONFIG_SPI_NOR_SFDP_DEVICETREE=y
CONFIG_PM_OVERRIDE_EXTERNAL_DRIVER_CHECK=y

# Bootloader and FOTA related configurations

# MCUBOOT
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_MCUBOOT_USE_ALL_AVAILABLE_RAM=y
CONFIG_MCUBOOT_IMG_MANAGER=y

# Image manager
CONFIG_IMG_MANAGER=y
CONFIG_STREAM_FLASH=y
CONFIG_IMG_ERASE_PROGRESSIVELY=y

# AWS FOTA
CONFIG_AWS_FOTA=y
CONFIG_FOTA_DOWNLOAD=y
CONFIG_DFU_TARGET=y

# Download client (needed by AWS FOTA)
CONFIG_DOWNLOAD_CLIENT=y
CONFIG_DOWNLOAD_CLIENT_STACK_SIZE=4096
CONFIG_DOWNLOAD_CLIENT_BUF_SIZE=4096
CONFIG_DOWNLOAD_CLIENT_HTTP_FRAG_SIZE_4096=y

# TLS credentials
# CONFIG_TLS_CREDENTIALS_BACKEND_PROTECTED_STORAGE=y

# Optimize TF-M
CONFIG_TFM_PROFILE_TYPE_SMALL=y
CONFIG_PM_PARTITION_SIZE_TFM_SRAM=0xc000
CONFIG_PM_PARTITION_SIZE_TFM=0x1fe00

    and prj.conf

    #
# Copyright (c) 2020 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#

# General
CONFIG_LOG=y
CONFIG_LOG_BUFFER_SIZE=2048
CONFIG_HW_ID_LIBRARY=y
CONFIG_ASSERT=y
CONFIG_JSON_LIBRARY=y
CONFIG_REBOOT=y

# Heap and stacks
CONFIG_HEAP_MEM_POOL_SIZE=8192
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048

# Network
CONFIG_NETWORKING=y
CONFIG_NET_NATIVE=y
CONFIG_NET_IPV4=y
CONFIG_NET_CONNECTION_MANAGER=y
CONFIG_NET_L2_WIFI_SHELL=y

# AWS IoT library
CONFIG_AWS_IOT=y
CONFIG_AWS_IOT_CLIENT_ID_STATIC="test-bcn3"
CONFIG_MQTT_HELPER_SEC_TAG=301
CONFIG_MQTT_HELPER_CERTIFICATES_FOLDER="src/certs"
CONFIG_AWS_IOT_BROKER_HOST_NAME="sample.com"
CONFIG_AWS_IOT_TOPIC_UPDATE_DELTA_SUBSCRIBE=y
CONFIG_AWS_IOT_TOPIC_GET_ACCEPTED_SUBSCRIBE=y
CONFIG_AWS_IOT_TOPIC_GET_REJECTED_SUBSCRIBE=y
CONFIG_MBEDTLS_SERVER_NAME_INDICATION=y

# MQTT helper library
CONFIG_MQTT_HELPER=y
CONFIG_MQTT_HELPER_LAST_WILL=y
CONFIG_MQTT_HELPER_STACK_SIZE=4096
CONFIG_MQTT_HELPER_LOG_LEVEL_DBG=y

# MQTT - Maximum MQTT keepalive timeout specified by AWS IoT Core
CONFIG_MQTT_KEEPALIVE=1200
CONFIG_MQTT_CLEAN_SESSION=y

  • 0 in reply to esisk

    Hi,

    To check ca_certificate[], you could try to specify your ca_certificate[] as mentioned in the lesson 5 of Wi-Fi Fundamentals course. When you do that, do you still get the same error -113?

    Best regards,
    Dejan

  • +1 in reply to dejans

    Thanks for pointing me in this direction. Once, I set CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y, both the sample and my project worked.

Related
Terms of service