TLS chain validation issue with ISRG Root X1 on nRF7002 using Zephyr

RE: TLS chain validation issue with ISRG Root X1 on nRF7002 using Zephyr

Lucas Heitele — Wed, 11 Jun 2025 21:41:00 GMT

Hi Håkon,

thanks a lot for your help and hints!
It turned out the issue was actually due to the mbedTLS heap size. After increasing CONFIG_MBEDTLS_HEAP_SIZE to match the https_client sample, TLS chain validation with only ISRG Root X1 now works as expected.

Appreciate your quick support!

Best regards,
Lucas

RE: TLS chain validation issue with ISRG Root X1 on nRF7002 using Zephyr

Håkon Alseth — Wed, 11 Jun 2025 07:18:19 GMT

Hi Lucas,

It is fine that you use AI to get a better overview of the situation, but please; post your input to the AI than the output from it.

Post your log output, errno 2 is ENOENT, meaning that the socket does not exist.

[quote user="Lucas Heitele"]

Neither option is present or selectable via menuconfig, and even adding them manually doesn’t work (they’re ignored).
I’m using nRF Connect SDK v2.6.0.

[/quote]

I strongly recommend that you atleast update to the latest patch version, ie v2.6.4.

[quote user="Lucas Heitele"]Are these two config options (CONFIG_MBEDTLS_PEM_PARSE_C, CONFIG_MBEDTLS_PEM_WRITE_C) actually needed for the https_client sample on nRF7002 Wi-Fi?[/quote]

I did the exact same steps as before, just altered the domain name directly in main.c.

*** Booting nRF Connect SDK v3.5.99-ncs1-4 ***
HTTPS client sample started
Bringing network interface up
Provisioning certificate
Connecting to the network
uart:~$ wifi_cred add SSID WPA2-PSK PASSWORD
uart:~$ wifi_cred auto_connect 
[00:00:53.799,316] <inf> wifi_mgmt_ext: Connection requested
Network connectivity established and IP address assigned
Looking up api.eversion.tech
Resolved 194.164.55.211 (AF_INET)
Connecting to api.eversion.tech:443
Sent 67 bytes
Received 165 bytes

>        HTTP/1.1 404 Not Found

Finished, closing socket.
Network connectivity lost
Disconnected from the network
uart:~$

Please post your changes and the log output.

Kind regards,

Håkon

RE: TLS chain validation issue with ISRG Root X1 on nRF7002 using Zephyr

pablow — Wed, 11 Jun 2025 06:44:48 GMT

Thanks. I used some of the methods to fix things! paint booth air filters

RE: TLS chain validation issue with ISRG Root X1 on nRF7002 using Zephyr

Lucas Heitele — Wed, 11 Jun 2025 06:39:06 GMT

Hi Håkon,

thanks for providing your detailed config and steps.

I tried to apply your suggestions and the patch as closely as possible, but I noticed two of the MBEDTLS config options you added were not found anywhere in my SDK/Kconfig tree:

CONFIG_MBEDTLS_PEM_PARSE_C
CONFIG_MBEDTLS_PEM_WRITE_C

Neither option is present or selectable via menuconfig, and even adding them manually doesn’t work (they’re ignored).
I’m using nRF Connect SDK v2.6.0.

My Observations:

I have the isrgrootx1.pem in the correct folder, included with the CMake macro as you described.
Everything else in the sample matches what you posted.
I also disabled IPv6 (just to match your environment).
The build works, but those two MBEDTLS configs are simply not available.
The code runs and I can establish Wi-Fi, DNS resolves, and TLS socket setup proceeds.

However, the final result is the same:
connect() still fails with error -2 (errno 2).
If I use your patched configs exactly, the two PEM options are just missing.

Question:

Are these two config options (CONFIG_MBEDTLS_PEM_PARSE_C, CONFIG_MBEDTLS_PEM_WRITE_C) actually needed for the https_client sample on nRF7002 Wi-Fi?
Or could their absence indicate something’s off with my SDK/toolchain?
Or did you maybe enable them in a different way (or with a different SDK version)?

Would appreciate any input if you have more hints or if I’m missing a step!

Thanks,
Lucas

RE: TLS chain validation issue with ISRG Root X1 on nRF7002 using Zephyr

Håkon Alseth — Mon, 19 May 2025 13:38:34 GMT

Hi,

I downloaded the isrgrootx1 from here:

https://letsencrypt.org/certs/isrgrootx1.pem

Placed it in the https_client/certs folder.

This is my modifications to the sample:

diff --git a/samples/net/https_client/CMakeLists.txt b/samples/net/https_client/CMakeLists.txt
index 2a937786ed..1de98481a2 100644
--- a/samples/net/https_client/CMakeLists.txt
+++ b/samples/net/https_client/CMakeLists.txt
@@ -14,7 +14,7 @@ set(gen_dir ${CMAKE_CURRENT_BINARY_DIR}/certs)
 zephyr_include_directories(${gen_dir})
 generate_inc_file_for_target(
     app
-    cert/DigiCertGlobalG2.pem
+    cert/isrgrootx1.pem
     ${gen_dir}/DigiCertGlobalG2.pem.inc
     )
 
diff --git a/samples/net/https_client/Kconfig b/samples/net/https_client/Kconfig
index 90ad33f42e..f56cd9fc19 100644
--- a/samples/net/https_client/Kconfig
+++ b/samples/net/https_client/Kconfig
@@ -15,7 +15,7 @@ config SAMPLE_TFM_MBEDTLS
 
 config HTTPS_HOSTNAME
        string "HTTPS hostname"
-       default "example.com"
+       default "api.eversion.tech"
 
 endmenu
 
diff --git a/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf b/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf
index 9eb362cb16..bf6196291f 100644
--- a/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf
+++ b/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf
@@ -69,3 +69,11 @@ CONFIG_MBEDTLS_TLS_LIBRARY=y
 CONFIG_TFM_PROFILE_TYPE_SMALL=y
 CONFIG_PM_PARTITION_SIZE_TFM_SRAM=0xc000
 CONFIG_PM_PARTITION_SIZE_TFM=0x20000
+CONFIG_PSA_WANT_RSA_KEY_SIZE_4096=y
+
+CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
+CONFIG_MBEDTLS_SSL_RENEGOTIATION=y
+CONFIG_MBEDTLS_PEM_PARSE_C=y
+CONFIG_MBEDTLS_PEM_WRITE_C=y
+CONFIG_MBEDTLS_MPI_MAX_SIZE=2048
+CONFIG_NET_IPV6=n

And log output:

*** Booting nRF Connect SDK v2.9.1-60d0d6c8d42d ***
*** Using Zephyr OS v3.7.99-ca954a6216c9 ***
HTTPS client sample started
Bringing network interface up
Provisioning certificate
CA certificate already exists, sec tag: 42
Connecting to the network
[00:00:08.636,047] <inf> wifi_mgmt_ext: Connection requested
Network connectivity established and IP address assigned
Looking up api.eversion.tech
Resolved 194.164.55.211 (AF_INET)
Connecting to api.eversion.tech:443
Sent 67 bytes
Received 165 bytes

>        HTTP/1.1 404 Not Found

Finished, closing socket.
Network connectivity lost
Disconnected from the network

Could you try this and see if you are able to connect as well?

PS: I have disabled ipv6 on my side due to my router being misconfigured / lacking proper ipv6 support from ISP.

Kind regards,

Håkon

RE: TLS chain validation issue with ISRG Root X1 on nRF7002 using Zephyr

Lucas Heitele — Sun, 18 May 2025 11:20:01 GMT

Hi Håkon,

thank you for your reply!

I’ve double-checked the key size topic and already enabled support for RSA-4096 in my configuration:

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_PSA_WANT_RSA_KEY_SIZE_4096=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_MBEDTLS_X509_CRT_PARSE_C=y
CONFIG_MBEDTLS_X509_CRL_PARSE_C=y
CONFIG_MBEDTLS_X509_CSR_PARSE_C=y

Despite that, provisioning only ISRG Root X1 (RSA 4096) via tls_credential_add(..., TLS_CREDENTIAL_CA_CERTIFICATE, ...) still leads to a failed TLS handshake (errno 22).

To answer your request:
I'm connecting to api.eversion.tech, which uses a Let's Encrypt certificate issued by R11 and chains to ISRG Root X1. You can reproduce the behavior with any server using a similar chain.

Best regards,
Lucas

RE: TLS chain validation issue with ISRG Root X1 on nRF7002 using Zephyr

Håkon Alseth — Thu, 15 May 2025 12:27:51 GMT

Hi,

I suspect the issue is due to ISRG Root X1 being a RSA-4096 certificate, and the R11 being RSA 2048.

Could you try the configs mentioned here:

RE: [nRF7002DK] HTTPS request Failed with errno: 22

And if it still fails, please let me know about which domain you're trying to connect to and I'll see if I can recreate and debug the issue locally.

Kind regards,

Håkon