RE: Issue with TLS on nRF7002DK

dejans — Thu, 17 Oct 2024 14:36:09 GMT

Hi,

This is great to hear! Thank you for the update.

Best regards,
Dejan

RE: Issue with TLS on nRF7002DK

esisk — Tue, 15 Oct 2024 13:08:56 GMT

Thanks for pointing me in this direction. Once, I set CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y, both the sample and my project worked.

RE: Issue with TLS on nRF7002DK

dejans — Mon, 14 Oct 2024 14:47:40 GMT

Hi,

To check ca_certificate[], you could try to specify your ca_certificate[] as mentioned in the lesson 5 of Wi-Fi Fundamentals course. When you do that, do you still get the same error -113?

Best regards,
Dejan

RE: Issue with TLS on nRF7002DK

esisk — Mon, 14 Oct 2024 11:35:37 GMT

By getting the same error, I mean that I'm getting mqtt_connect, error: -113. Here's the entire log:

*** Booting nRF Connect SDK v2.7.0-5cb85570ca43 ***
*** Using Zephyr OS v3.6.99-100befc70c74 ***
[00:00:00.261,260] <inf> aws_iot_sample: The AWS IoT sample started, version: v1.0.0
[00:00:00.271,636] <inf> aws_iot_sample: Bringing network interface up and connecting to the network
[00:00:00.289,581] <dbg> mqtt_helper: mqtt_helper_poll_loop: Waiting for connection_poll_sem
[00:00:00.338,867] <inf> wifi_mgmt_ext: Connection requested
[00:00:00.354,278] <dbg> mqtt_helper: mqtt_state_set: State transition: MQTT_STATE_UNINIT --> MQTT_STATE_DISCONNECTED
uart:~$ > wifi connect -s ssid -p pw -k 1
wifi connect -s ssid -p pw -k 1
Connection requested
Connected
[00:00:11.434,204] <inf> aws_iot_sample: Network connectivity established
[00:00:16.443,664] <inf> aws_iot_sample: Connecting to AWS IoT
[00:00:16.452,362] <dbg> mqtt_helper: broker_init: Resolving IP address for iot.dev.slatesafety.com
[00:00:16.560,272] <dbg> mqtt_helper: broker_init: IPv4 Address found 52.54.218.138 (AF_INET)
[00:00:16.571,441] <inf> mqtt_helper: Provision cert success
[00:00:16.579,742] <dbg> mqtt_helper: mqtt_state_set: State transition: MQTT_STATE_DISCONNECTED --> MQTT_STATE_TRANSPORT_CONNECTING
[00:00:17.064,300] <err> mqtt_helper: mqtt_connect, error: -113
[00:00:17.073,089] <dbg> mqtt_helper: mqtt_state_set: State transition: MQTT_STATE_TRANSPORT_CONNECTING --> MQTT_STATE_DISCONNECTED
[00:00:17.087,554] <err> aws_iot: mqtt_helper_connect, error: -113
[00:00:17.096,588] <err> aws_iot_sample: aws_iot_connect, error: -113
[00:00:17.105,926] <err> aws_iot_sample: Fatal error! Rebooting the device.

Looking at the mbedtls Github, I see that -0x2700 means

/** Certificate verification failed, e.g. CRL, CA or signature check failed. */
#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED               -0x2700

If I change

tls_cfg->peer_verify	        = TLS_PEER_VERIFY_REQUIRED;

tls_cfg->peer_verify	        = TLS_PEER_VERIFY_NONE;

the sample is able to connect to the MQTT broker successfully. So I know that the issue concerns the CA certificate. I've thought of a few possible root causes:

The CA certificate is formatted incorrectly
My sample is missing some crypto config variable being set
There's not enough heap memory for the TLS operations

I think 1 is unlikely because I included the raw PEM files in my certs directory. They're formatted the same as my device certificate and private key and I'm able to connect to the server and publish messages.

I think 3 is unlikely because I have set

CONFIG_MBEDTLS_HEAP_SIZE=120000

which should be plenty of space. I'll include the entire config files that I'm using for the AWS IoT sample.

nrf7002dk_nrf5340_cpuapp_ns.conf

#
# Copyright (c) 2023 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#

# Configuration file for nRF7002 DK
# This file is merged with prj.conf in the application folder, and options
# set here will take precedence if they are present in both files.

# General
CONFIG_POSIX_CLOCK=y
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096
CONFIG_HEAP_MEM_POOL_SIZE=81920
CONFIG_LOG_MODE_IMMEDIATE=y
CONFIG_HW_STACK_PROTECTION=y
CONFIG_HW_ID_LIBRARY_SOURCE_NET_MAC=y
CONFIG_POSIX_MAX_FDS=25

# Optimize Wi-Fi stack to save some memory
CONFIG_NRF700X_RX_NUM_BUFS=16
CONFIG_NRF700X_MAX_TX_AGGREGATION=4

# Wi-Fi
CONFIG_WIFI=y
CONFIG_WIFI_NRF700X=y
CONFIG_WIFI_MGMT_EXT=y
CONFIG_WIFI_CREDENTIALS=y
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y

# Shell
CONFIG_SHELL=y
CONFIG_SHELL_STACK_SIZE=6144

# WPA
CONFIG_WPA_SUPP=y

# NET sockets
CONFIG_NET_L2_ETHERNET=y
CONFIG_NET_UDP=y
CONFIG_NET_TCP=y
CONFIG_NET_SOCKETS_OFFLOAD=n
CONFIG_NET_DHCPV4=y
CONFIG_NET_CONTEXT_SNDTIMEO=y
CONFIG_NET_CONTEXT_RCVTIMEO=y
CONFIG_NET_RX_STACK_SIZE=2048

# DNS
CONFIG_DNS_RESOLVER=y
CONFIG_NET_SOCKETS_DNS_TIMEOUT=30000

# Make the MQTT helper library provision credentials prior to establishing a TLS connection.
# Credentials needs to be pasted into their respective entry under samples/net/aws_iot/certs/.
CONFIG_MQTT_HELPER_PROVISION_CERTIFICATES=y

# Native network stack
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=120000
CONFIG_MBEDTLS_RSA_C=y

# NET Sockets
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=2

# Zephyr NET Connection Manager Connectivity layer.
CONFIG_L2_WIFI_CONNECTIVITY=y
CONFIG_L2_WIFI_CONNECTIVITY_AUTO_CONNECT=n
CONFIG_L2_WIFI_CONNECTIVITY_AUTO_DOWN=n

# Serial Peripheral Interface (SPI) - Used to communicate with the mx25r64 external flash memory.
CONFIG_SPI=y
CONFIG_SPI_NOR=y
CONFIG_SPI_NOR_SFDP_DEVICETREE=y
CONFIG_PM_OVERRIDE_EXTERNAL_DRIVER_CHECK=y

# Bootloader and FOTA related configurations

# MCUBOOT
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_MCUBOOT_USE_ALL_AVAILABLE_RAM=y
CONFIG_MCUBOOT_IMG_MANAGER=y

# Image manager
CONFIG_IMG_MANAGER=y
CONFIG_STREAM_FLASH=y
CONFIG_IMG_ERASE_PROGRESSIVELY=y

# AWS FOTA
CONFIG_AWS_FOTA=y
CONFIG_FOTA_DOWNLOAD=y
CONFIG_DFU_TARGET=y

# Download client (needed by AWS FOTA)
CONFIG_DOWNLOAD_CLIENT=y
CONFIG_DOWNLOAD_CLIENT_STACK_SIZE=4096
CONFIG_DOWNLOAD_CLIENT_BUF_SIZE=4096
CONFIG_DOWNLOAD_CLIENT_HTTP_FRAG_SIZE_4096=y

# TLS credentials
# CONFIG_TLS_CREDENTIALS_BACKEND_PROTECTED_STORAGE=y

# Optimize TF-M
CONFIG_TFM_PROFILE_TYPE_SMALL=y
CONFIG_PM_PARTITION_SIZE_TFM_SRAM=0xc000
CONFIG_PM_PARTITION_SIZE_TFM=0x1fe00

and prj.conf

#
# Copyright (c) 2020 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#

# General
CONFIG_LOG=y
CONFIG_LOG_BUFFER_SIZE=2048
CONFIG_HW_ID_LIBRARY=y
CONFIG_ASSERT=y
CONFIG_JSON_LIBRARY=y
CONFIG_REBOOT=y

# Heap and stacks
CONFIG_HEAP_MEM_POOL_SIZE=8192
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048

# Network
CONFIG_NETWORKING=y
CONFIG_NET_NATIVE=y
CONFIG_NET_IPV4=y
CONFIG_NET_CONNECTION_MANAGER=y
CONFIG_NET_L2_WIFI_SHELL=y

# AWS IoT library
CONFIG_AWS_IOT=y
CONFIG_AWS_IOT_CLIENT_ID_STATIC="test-bcn3"
CONFIG_MQTT_HELPER_SEC_TAG=301
CONFIG_MQTT_HELPER_CERTIFICATES_FOLDER="src/certs"
CONFIG_AWS_IOT_BROKER_HOST_NAME="sample.com"
CONFIG_AWS_IOT_TOPIC_UPDATE_DELTA_SUBSCRIBE=y
CONFIG_AWS_IOT_TOPIC_GET_ACCEPTED_SUBSCRIBE=y
CONFIG_AWS_IOT_TOPIC_GET_REJECTED_SUBSCRIBE=y
CONFIG_MBEDTLS_SERVER_NAME_INDICATION=y

# MQTT helper library
CONFIG_MQTT_HELPER=y
CONFIG_MQTT_HELPER_LAST_WILL=y
CONFIG_MQTT_HELPER_STACK_SIZE=4096
CONFIG_MQTT_HELPER_LOG_LEVEL_DBG=y

# MQTT - Maximum MQTT keepalive timeout specified by AWS IoT Core
CONFIG_MQTT_KEEPALIVE=1200
CONFIG_MQTT_CLEAN_SESSION=y

RE: Issue with TLS on nRF7002DK

dejans — Mon, 14 Oct 2024 08:19:04 GMT

Hi,

[quote user="esisk"]However, now I'm getting the same error that I had initially.[/quote]

I see that you initially got

<err> mqtt_helper: mqtt_connect, error: -113
<err> aws_iot: mqtt_helper_connect, error: -113

and now you are getting

<err> mqtt_helper: mqtt_connect, error: -2
<err> aws_iot: mqtt_helper_connect, error: -2

What do you refer to as "getting the same error"? Could you please clarify this?

Could you provide complete log?

Best regards,
Dejan

RE: Issue with TLS on nRF7002DK

esisk — Fri, 11 Oct 2024 16:02:47 GMT

Yes I followed all those instructions. I placed the raw .pem files in the certs directory of the AWS IoT Sample, built and ran, and now I get

[00:00:48.535,827] <err> mqtt_helper: mqtt_connect, error: -2
[00:00:48.544,433] <err> aws_iot: mqtt_helper_connect, error: -2
[00:00:48.553,314] <err> aws_iot_sample: aws_iot_connect, error: -2
[00:00:48.562,438] <err> aws_iot_sample: Fatal error! Rebooting the device.

Edit: I figured out that I had my CONFIG_MQTT_HELPER_CERTIFICATES_FOLDER variable set incorrectly. However, now I'm getting the same error that I had initially.

RE: Issue with TLS on nRF7002DK

dejans — Fri, 11 Oct 2024 14:37:33 GMT

Hi,

Have you built the AWS IoT sample for nrf7002dk/nrf5340/cpuapp/ns board target?

Have you followed the setup guide and read the Note in the same setup section which specifies that for nrf70 devices certificates must be provisioned at runtime?
Documentation provides information how to generate and provision certificates for nrf70 devices.

Best regards,
Dejan