https client error 113https://devzone.nordicsemi.com/f/nordic-q-a/119142/https-client-error-113sample code: https client sdl version: 2.6.2 board: 7002dk question: https client cannot connect to iot.cht.com.tw log: *** Booting nRF Connect SDK v3.5.99-ncs1-2 *** HTTPS client sample started Bringing network interface up Connecting to theen-USTelligent Community 13Tue, 04 Mar 2025 14:47:39 GMTRE: https client error 113https://devzone.nordicsemi.com/thread/525765?ContentTypeID=1Tue, 04 Mar 2025 14:47:39 GMT137ad170-7792-4731-bb38-c0d22fbe4515:d372a7ab-e2a2-4c97-a275-5dbad62336ffH&#229;kon Alseth<p>Hi,</p> <p>&nbsp;</p> <p>Sorry that I took so much time before responding. I have had some connectivity issues towards this server, and needed to debug that in addition to adding RSA 4096 support.</p> <p>&nbsp;</p> <p>It seems&nbsp;that there&#39;s a problem with the RSA4096 certificate support locally to the project.</p> <p>This is my added configuration, for enabling mbedtls + debug traces + RSA4096 support:</p> <p><pre class="ui-code" data-mode="text">diff --git a/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf b/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf index 9b3cdc5961..00da982e25 100644 --- a/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf +++ b/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf @@ -7,7 +7,7 @@ # General CONFIG_POSIX_CLOCK=y CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096 -CONFIG_HEAP_MEM_POOL_SIZE=81920 +CONFIG_HEAP_MEM_POOL_SIZE=120000 CONFIG_NET_RX_STACK_SIZE=2048 # Optimize Wi-Fi stack to save some memory @@ -68,3 +68,107 @@ CONFIG_MBEDTLS_TLS_LIBRARY=y CONFIG_TFM_PROFILE_TYPE_SMALL=y CONFIG_PM_PARTITION_SIZE_TFM_SRAM=0xc000 CONFIG_PM_PARTITION_SIZE_TFM=0x20000 + +# Added for ncs v2.6.x +CONFIG_NET_SOCKETS_TLS_SET_MAX_FRAGMENT_LENGTH=n +CONFIG_MBEDTLS_MPI_MAX_SIZE=512 +CONFIG_NET_LOG=y +CONFIG_NET_IPV6=n +CONFIG_MBEDTLS_DEBUG=y +CONFIG_MBEDTLS_SSL_DEBUG_ALL=y +CONFIG_MBEDTLS_LOG_LEVEL_DBG=y +CONFIG_MBEDTLS_DEBUG_C=y +CONFIG_MBEDTLS_DEBUG_LEVEL=4 +# Handle the large influx of prints +CONFIG_LOG_BUFFER_SIZE=16384 + +# Enable ECDSA +CONFIG_MBEDTLS_ECDSA_C=y +CONFIG_PSA_WANT_ALG_ECDSA=y +CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=y +CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA=y +CONFIG_PSA_WANT_ALG_HMAC=y # dependency for DETERMINISTIC_ECDSA +CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y # dependency for DETERMINISTIC_ECDSA + +# Enable ECC +CONFIG_MBEDTLS_ECP_C=y +CONFIG_PSA_WANT_ECC_SECP_R1_256=y + + +# NET sockets +CONFIG_NET_SOCKETS_SOCKOPT_TLS=y +CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=3 + +# nRF Security legacy MBed TLS +CONFIG_NORDIC_SECURITY_BACKEND=y +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=120000 +CONFIG_MBEDTLS_RSA_C=y +CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_MBEDTLS=y +CONFIG_MBEDTLS_TLS_LIBRARY=y +CONFIG_MBEDTLS_SSL_SRV_C=y +CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=16384 +CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=16384 + +# Enable TLS protocol options +CONFIG_NET_SOCKETS_TLS_SET_MAX_FRAGMENT_LENGTH=y +CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y + +# Enable AES +CONFIG_MBEDTLS_AES_C=y +CONFIG_MBEDTLS_CCM_C=y +CONFIG_MBEDTLS_GCM_C=y +CONFIG_MBEDTLS_CIPHER_MODE_CBC=y +CONFIG_MBEDTLS_CIPHER_PADDING_PKCS7=y + +# Enable ECC +CONFIG_MBEDTLS_ECP_C=y +CONFIG_PSA_WANT_ECC_SECP_R1_256=y + +# Enable ECDSA +CONFIG_MBEDTLS_ECDSA_C=y +CONFIG_PSA_WANT_ALG_ECDSA=y +CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=y +CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA=y +CONFIG_PSA_WANT_ALG_HMAC=y # dependency for DETERMINISTIC_ECDSA +CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y # dependency for DETERMINISTIC_ECDSA + +# Enable ECDH +CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED=y +CONFIG_MBEDTLS_ECDH_C=y +CONFIG_PSA_WANT_ALG_ECDH=y + +# Enable EDCHE +CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y +CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y + +# Enable RSA +CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y +CONFIG_MBEDTLS_PKCS1_V15=y +CONFIG_MBEDTLS_MPI_MAX_SIZE=512 +CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y +CONFIG_PSA_WANT_RSA_KEY_SIZE_2048=y +CONFIG_PSA_WANT_RSA_KEY_SIZE_4096=y + +# Enable SHA +CONFIG_MBEDTLS_SHA256_C=y +CONFIG_MBEDTLS_SHA512_C=y + +# Disable MBEDTLS modules +CONFIG_MBEDTLS_CTR_DRBG_C=n +CONFIG_MBEDTLS_CHACHA20_C=n +CONFIG_MBEDTLS_POLY1305_C=n +CONFIG_MBEDTLS_DHM_C=n +CONFIG_MBEDTLS_CMAC_C=n +CONFIG_MBEDTLS_CIPHER_MODE_CTR=n +CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED=n +CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=n +CONFIG_MBEDTLS_SHA1_C=n + +# DNS +CONFIG_DNS_RESOLVER=y +CONFIG_NET_SOCKETS_DNS_TIMEOUT=30000 +CONFIG_NET_SOCKETS_CONNECT_TIMEOUT=30000 + +CONFIG_RESET_ON_FATAL_ERROR=n</pre></p> <p>.conf file:</p> <p><a href="https://devzone.nordicsemi.com/cfs-file/__key/communityserver-discussions-components-files/4/0385.nrf7002dk_5F00_nrf5340_5F00_cpuapp_5F00_ns.conf">devzone.nordicsemi.com/.../0385.nrf7002dk_5F00_nrf5340_5F00_cpuapp_5F00_ns.conf</a></p> <p>&nbsp;</p> <p>This now hangs while trying to connect, and returns a -11 (EAGAIN).</p> <p>However, now and again it succeeds:</p> <p><pre class="ui-code" data-mode="text">*** Booting nRF Connect SDK v3.5.99-ncs1-3 *** HTTPS client sample started Bringing network interface up Provisioning certificate CA certificate already exists, sec tag: 42 Connecting to the network [00:00:02.233,184] &lt;inf&gt; wifi_mgmt_ext: Connection requested [00:00:16.308,380] &lt;inf&gt; net_dhcpv4: Received: 192.168.1.196 Network connectivity established and IP address assigned Looking up iot.cht.com.tw Resolved 20.188.24.130 (AF_INET) Connecting to iot.cht.com.tw:443 ... Took away loads of mbedtls debug output [00:00:13.707,672] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:1997: dumping &#39;raw buffer after decryption&#39; (2 bytes) [00:00:13.707,946] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:1997: 0000: 01 00 .. [00:00:13.708,007] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2126: &lt;= decrypt buf [00:00:13.708,129] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:4017: dumping &#39;input payload after decrypt&#39; (2 bytes) [00:00:13.708,404] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:4017: 0000: 01 00 .. [00:00:13.708,526] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:5027: got an alert message, type: [1:0] [00:00:13.708,587] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:5041: is a close notify message [00:00:13.708,740] &lt;err&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:4177: mbedtls_ssl_handle_message_type() returned -30848 (-0x7880) [00:00:13.708,892] &lt;err&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:5736: mbedtls_ssl_read_record() returned -30848 (-0x7880) Received 231 bytes &gt; HTTP/1.1 403 Forbidden Finished, closing socket. [00:00:13.709,075] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:5974: =&gt; write close notify [00:00:13.709,167] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:5103: =&gt; send alert message [00:00:13.709,259] &lt;inf&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:5104: send alert level=1 message=0 [00:00:13.709,320] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2948: =&gt; write record [-5:00:13.709,411] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:0937: =&gt; encrypt buf [00:00:13.709,533] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:0959: dumping &#39;before encrypt: output payload&#39; (2 bytes) [00:00:13.709,808] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:0959: 0000: 01 00 .. [00:00:13.709,930] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:1186: dumping &#39;IV used (internal)&#39; (12 bytes) [00:00:13.710,388] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:1186: 0000: e5 fa 89 08 00 00 00 00 00 00 00 02 ............ [00:00:13.710,723] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:1188: dumping &#39;IV used (transmitted)&#39; (8 bytes) [00:00:13.711,120] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:1188: 0000: 00 00 00 00 00 00 00 02 ........ [00:00:13.711,242] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:1191: dumping &#39;additional data used for AEAD&#39; (13 bytes) [00:00:13.711,730] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:1191: 0000: 00 00 00 00 00 00 00 02 15 03 03 00 02 ............. [00:00:13.711,853] &lt;inf&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:1193: before encrypt: msglen = zu, including 0 bytes of padding [00:00:13.712,127] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:1227: dumping &#39;after encrypt: tag&#39; (16 bytes) [00:00:13.712,646] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:1227: 0000: 93 9e b9 ae 5f 07 9e db dc 3c ee b7 d2 75 99 5c ...._....&lt;...u.\ [00:00:13.712,707] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:1478: &lt;= encrypt buf [00:00:13.712,860] &lt;inf&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3032: output record: msgtype = 21, version = [3:3], msglen = zu [00:00:13.712,982] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3037: dumping &#39;output record sent to network&#39; (31 bytes) [00:00:13.713,500] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3037: 0000: 15 03 03 00 1a 00 00 00 00 00 00 00 02 75 51 93 .............uQ. [00:00:13.713,989] &lt;dbg&gt; mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3037: 0010: 9e b9 ae 5f 07 9e db dc 3c ee b7 d2 75 99 5c ..._....&lt;...u.\ [00:00:13.714,050] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2358: =&gt; flush output [00:00:13.714,172] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2372: message length: zu, out_left: zu [00:00:13.714,874] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2379: ssl-&gt;f_send() returned 31 (-0xffffffe1) [00:00:13.714,935] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2406: &lt;= flush output [00:00:13.714,996] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3085: &lt;= write record [00:00:13.715,057] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:5115: &lt;= send alert message [00:00:13.715,148] &lt;wrn&gt; mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:5985: &lt;= write close notify Network connectivity lost</pre></p> <p>&nbsp;</p> <p>So I suspect I have a bad connection towards the server.</p> <p>&nbsp;</p> <p>Could you try this at your end and see if it works now?</p> <p>&nbsp;</p> <p>Kind regards,</p> <p>Håkon</p><div style="clear:both;"></div>RE: https client error 113https://devzone.nordicsemi.com/thread/524734?ContentTypeID=1Wed, 26 Feb 2025 07:57:35 GMT137ad170-7792-4731-bb38-c0d22fbe4515:7b43d3b2-2e4c-43ca-93a0-4f838d5bfb5ashaman<p>I found&nbsp;<span>HiPKI Root CA - G1 at&nbsp;<a id="" href="https://eca.hinet.net/repository-h/download/HRCA_b64.crt">https://eca.hinet.net/repository-h/download/HRCA_b64.crt</a></span></p> <p><span>and i change CMakeLists.txt</span></p> <p><span><pre class="ui-code" data-mode="text"> cert/DigiCertGlobalG2.pem ${gen_dir}/DigiCertGlobalG2.pem.inc </pre></span></p> <p><span>to</span></p> <p><span><pre class="ui-code" data-mode="text"> cert/HRCA_b64.crt ${gen_dir}/DigiCertGlobalG2.pem.inc </pre></span></p> <p><span>connection failed.</span></p> <p><span>Same code on 9151 ok.</span></p><div style="clear:both;"></div>RE: https client error 113https://devzone.nordicsemi.com/thread/524726?ContentTypeID=1Wed, 26 Feb 2025 07:34:47 GMT137ad170-7792-4731-bb38-c0d22fbe4515:ac0ddf6d-5ebc-4cd4-81b6-abc937f11e5dshaman<p>How to add to my project? I searched Kconfig GUI and not found.</p><div style="clear:both;"></div>RE: https client error 113https://devzone.nordicsemi.com/thread/524013?ContentTypeID=1Fri, 21 Feb 2025 08:28:00 GMT137ad170-7792-4731-bb38-c0d22fbe4515:02238d32-b87c-44f7-b65a-f6fc3a0d0523H&#229;kon Alseth<p>You need to add &quot;HiPKI Root CA - G1&quot; to your project and use that for verifying this specific domain.</p> <p>Here&#39;s a screenshot from my browser when inspecting the domain:</p> <p><img style="max-height:240px;max-width:320px;" src="https://devzone.nordicsemi.com/resized-image/__size/640x480/__key/communityserver-discussions-components-files/4/pastedimage1740126473298v1.png" alt=" " /></p> <p>&nbsp;</p> <p>Kind regards,</p> <p>Håkon</p><div style="clear:both;"></div>RE: https client error 113https://devzone.nordicsemi.com/thread/523981?ContentTypeID=1Fri, 21 Feb 2025 02:04:23 GMT137ad170-7792-4731-bb38-c0d22fbe4515:fa4b9532-1a16-456d-841f-9668df3f0fecshaman<p>How? That is s<span>erver certificate, I could not ask them to change?</span></p><div style="clear:both;"></div>RE: https client error 113https://devzone.nordicsemi.com/thread/523868?ContentTypeID=1Thu, 20 Feb 2025 10:59:41 GMT137ad170-7792-4731-bb38-c0d22fbe4515:956a0fac-0f28-4ff7-b040-698cf53eb72eH&#229;kon Alseth<p>Hi,</p> <p>&nbsp;</p> [quote user="shaman"]* issuer: C=TW; O=Chunghwa Telecom Co., Ltd.; CN=HiPKI OV TLS CA - G1[/quote] <p>Could you try with &quot;HiPKI Root CA - G1&quot; instead?</p> <p>&nbsp;</p> <p>Kind regards,</p> <p>Håkon</p><div style="clear:both;"></div>RE: https client error 113https://devzone.nordicsemi.com/thread/523866?ContentTypeID=1Thu, 20 Feb 2025 10:52:53 GMT137ad170-7792-4731-bb38-c0d22fbe4515:f5ffe788-9b70-48e8-b76e-7583319ea6c6shaman<p>using the same pem file</p> <p>% curl -v -I --cacert cert/DigiCertGlobalRootG2.pem <a href="https://iot.cht.com.tw">https://iot.cht.com.tw</a><br />* Host iot.cht.com.tw:443 was resolved.<br />* IPv6: (none)<br />* IPv4: 20.188.24.130<br />* Trying 20.188.24.130:443...<br />* Connected to iot.cht.com.tw (20.188.24.130) port 443<br />* ALPN: curl offers h2,http/1.1<br />* (304) (OUT), TLS handshake, Client hello (1):<br />* CAfile: cert/DigiCertGlobalRootG2.pem<br />* CApath: none<br />* (304) (IN), TLS handshake, Server hello (2):<br />* (304) (IN), TLS handshake, Unknown (8):<br />* (304) (IN), TLS handshake, Certificate (11):<br />* (304) (IN), TLS handshake, CERT verify (15):<br />* (304) (IN), TLS handshake, Finished (20):<br />* (304) (OUT), TLS handshake, Finished (20):<br />* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF<br />* ALPN: server accepted h2<br />* Server certificate:<br />* subject: C=TW; L=\U81FA\U5317\U5E02; O=\U4E2D\U83EF\U96FB\U4FE1\U80A1\U4EFD\U6709\U9650\U516C\U53F8; CN=*.iot.cht.com.tw<br />* start date: Dec 16 09:45:19 2024 GMT<br />* expire date: Dec 16 09:45:19 2025 GMT<br />* subjectAltName: host &quot;iot.cht.com.tw&quot; matched cert&#39;s &quot;iot.cht.com.tw&quot;<br />* issuer: C=TW; O=Chunghwa Telecom Co., Ltd.; CN=HiPKI OV TLS CA - G1<br />* SSL certificate verify ok.<br />* using HTTP/2<br />* [HTTP/2] [1] OPENED stream for <a href="https://iot.cht.com.tw/">https://iot.cht.com.tw/</a><br />* [HTTP/2] [1] [:method: HEAD]<br />* [HTTP/2] [1] [:scheme: https]<br />* [HTTP/2] [1] [:authority: iot.cht.com.tw]<br />* [HTTP/2] [1] [:path: /]<br />* [HTTP/2] [1] [user-agent: curl/8.7.1]<br />* [HTTP/2] [1] [accept: */*]<br />&gt; HEAD / HTTP/2<br />&gt; Host: iot.cht.com.tw<br />&gt; User-Agent: curl/8.7.1<br />&gt; Accept: */*<br />&gt; <br />* Request completely sent off<br />&lt; HTTP/2 403 <br />HTTP/2 403 <br />&lt; server: nginx<br />server: nginx<br />&lt; date: Thu, 20 Feb 2025 10:51:46 GMT<br />date: Thu, 20 Feb 2025 10:51:46 GMT<br />&lt; content-type: text/html; charset=utf-8<br />content-type: text/html; charset=utf-8<br />&lt; content-length: 146<br />content-length: 146<br />&lt; strict-transport-security: max-age=31536000; includeSubDomains; preload<br />strict-transport-security: max-age=31536000; includeSubDomains; preload<br />&lt;</p> <p>* Connection #0 to host iot.cht.com.tw left intact</p><div style="clear:both;"></div>