TLS bug in Nordic security backend?

Question

I have been trying to use the Nordic security backend with the MQTT library (TLS transport). However, after I finally got everything to build, I am now getting runtime errors (unable to connect). The code works fine when I use CONFIG_MBEDTLS_BUILTIN=y, it only fails when I use CONFIG_NORDIC_SECURITY_BACKEND=y and CONFIG_NRF_SECURITY=y.

Logs:

[00:02:33.000,427] <dbg> net_mqtt_sock_tls: mqtt_client_tls_connect: (main): Created socket 5
[00:02:33.146,606] <err> net_sock_tls: Failed to parse CA certificate, err: -0x262e
[00:02:33.147,644] <err> app_mqtt: MQTT Connect failed [-22]
[00:02:34.148,376] <dbg> net_mqtt_sock_tls: mqtt_client_tls_connect: (main): Created socket 5
[00:02:34.286,621] <err> net_sock_tls: Failed to parse CA certificate, err: -0x262e
[00:02:34.287,658] <err> app_mqtt: MQTT Connect failed [-22]
[00:02:35.288,391] <dbg> net_mqtt_sock_tls: mqtt_client_tls_connect: (main): Created socket 5
[00:02:35.416,778] <err> net_sock_tls: Failed to parse CA certificate, err: -0x262e
[00:02:35.417,816] <err> app_mqtt: MQTT Connect failed [-22]
[00:02:36.418,518] <dbg> net_mqtt_sock_tls: mqtt_client_tls_connect: (main): Created socket 5
[00:02:36.556,610] <err> net_sock_tls: Failed to parse CA certificate, err: -0x262e
[00:02:36.557,647] <err> app_mqtt: MQTT Connect failed [-22]

Server logs (Mosquitto):

1746745615: New connection from 200.88.239.106:56149 on port 8883.
1746745615: OpenSSL Error[0]: error:0A000126:SSL routines::unexpected eof while reading
1746745615: Client <unknown> disconnected: Protocol error.
1746745616: Client connection from 200.88.239.106 failed: error:0A000126:SSL routines::unexpected eof while reading.
1746745617: Client connection from 200.88.239.106 failed: error:0A000126:SSL routines::unexpected eof while reading.
1746745618: Client connection from 200.88.239.106 failed: error:0A000126:SSL routines::unexpected eof while reading.
1746745620: New connection from 200.88.239.106:49703 on port 8883.
1746745620: OpenSSL Error[0]: error:0A000126:SSL routines::unexpected eof while reading
1746745620: Client <unknown> disconnected: Protocol error.
1746745621: New connection from 200.88.239.106:23860 on port 8883.
1746745621: OpenSSL Error[0]: error:0A000126:SSL routines::unexpected eof while reading
1746745621: Client <unknown> disconnected: Protocol error.

I'm wondering if I can fix this by tweaking my proj.conf or whether there might be a bug somewhere in the NRF security libraries? I am using a PEM certificate.

In case it helps, I published my code here: https://github.com/olalonde/mqtt-tls-sample/ It assumes you have a nrf52840 + simcom a7670 modem connected via UART but it wouldn't be too hard to add an overlay for another modem.

Oli · Answer

Managed to fix the issue. Not sure if those steps were all necessary but it works now: 1) regenerated a 2048 bit cert insteda of 4096 one 
 2) add following configs: 
 CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=16384 CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=16384 CONFIG_MBEDTLS_RSA_C=y 
 2) Use CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION instead of CONFIG_MBEDTLS_SERVER_NAME_INDICATION (the secure MQTT sample uses CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION in the code so I had to modify some code too).