Enabling the TLS layer to get a HTTPS connection going.

Hi,

I used net/https_client for this exercise.

You need to download r1.pem from here: https://pki.goog/repository/

Place this in certs/ folder, and make sure that you change the file in CMakeLists.txt, change the domain in kconfig, and add the required configurations in the board .conf file:

diff --git a/samples/net/https_client/CMakeLists.txt b/samples/net/https_client/CMakeLists.txt
index 2a937786ed..39276fd2e2 100644
--- a/samples/net/https_client/CMakeLists.txt
+++ b/samples/net/https_client/CMakeLists.txt
@@ -14,7 +14,7 @@ set(gen_dir ${CMAKE_CURRENT_BINARY_DIR}/certs)
 zephyr_include_directories(${gen_dir})
 generate_inc_file_for_target(
     app
-    cert/DigiCertGlobalG2.pem
+    cert/r1.pem
     ${gen_dir}/DigiCertGlobalG2.pem.inc
     )
 
diff --git a/samples/net/https_client/Kconfig b/samples/net/https_client/Kconfig
index 90ad33f42e..bb22e82794 100644
--- a/samples/net/https_client/Kconfig
+++ b/samples/net/https_client/Kconfig
@@ -15,7 +15,7 @@ config SAMPLE_TFM_MBEDTLS
 
 config HTTPS_HOSTNAME
        string "HTTPS hostname"
-       default "example.com"
+       default "google.com"
 
 endmenu
 
diff --git a/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf b/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf
index 9eb362cb16..8366313af8 100644
--- a/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf
+++ b/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf
@@ -69,3 +69,20 @@ CONFIG_MBEDTLS_TLS_LIBRARY=y
 CONFIG_TFM_PROFILE_TYPE_SMALL=y
 CONFIG_PM_PARTITION_SIZE_TFM_SRAM=0xc000
 CONFIG_PM_PARTITION_SIZE_TFM=0x20000
+
+CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
+CONFIG_MBEDTLS_SSL_RENEGOTIATION=y
+CONFIG_MBEDTLS_SSL_MAX_FRAGMENT_LENGTH=y
+CONFIG_MBEDTLS_SSL_SESSION_TICKETS=y
+CONFIG_PSA_WANT_RSA_KEY_SIZE_4096=y
+CONFIG_MBEDTLS_MPI_MAX_SIZE=512
+
+CONFIG_LOG=y
+CONFIG_MBEDTLS_DEBUG=y
+CONFIG_MBEDTLS_SSL_DEBUG_ALL=y
+CONFIG_MBEDTLS_LOG_LEVEL_DBG=y
+CONFIG_MBEDTLS_DEBUG_C=y
+CONFIG_MBEDTLS_DEBUG_LEVEL=4
+# Handle the large influx of prints
+CONFIG_LOG_BUFFER_SIZE=16384
+CONFIG_LOG_BACKEND_UART=y

I also need to add CONFIG_NET_IPV6=n due to a local network issue at my end.

Kind regards,

Håkon

There are many options and suboptions in the link you sent me. Which one is the correct one?

When attempting to get it working, I got r1.der and then created r1.der.inc. But I'm not sure which option I chose.

There are many options and suboptions in the link you sent me. Which one is the correct one?

When attempting to get it working, I got r1.der and then created r1.der.inc. But I'm not sure which option I chose.

This one:

Kind regards,

Håkon

Thank you! Sadly, when I add those config options, I get a DNS error:
DNS Error: 536969132

Without them, DNS successfully resolves google.com:
Resolved: [(1, 1, 6, '', ('142.250.180.206', 443))]

Hi,

Could you try with https_client first, to see if this works there?

Add the cmd's (assuming WPA2) to store your SSID like this:

wifi_cred add -s SSID -k 1 -p PASSWORD
wifi_cred auto_connect

Kind regards,

Håkon

Hey there Håkon,

I tried those commands, but I had to alter them a bit to get them to work on SDK v3.0.0. More specifically:
wifi cred add -s SSID -k 1 -p PASSWORD
wifi cred auto_connect

Also, this is my log from running them:

uart:~$ wifi cred auto_connect
uart:~$
uart:~$
uart:~$
uart:~$
uart:~$
--- 50 messages dropped ---
00 00 --- 67 messages dropped ---
01 17 00 04 17 d7 00 8a c0 0c 00 01 00 01 00 00 00 f7 00 10 26 00 14 06 3a 00 00 21 00 00 00 00 17 3e 2e 65 c0 0c 00 1c 00 01 00
uart:~$
Sent 61 bytes
Received 318 bytes

> HTTP/1.1 200 OK

Finished, closing socket.
Disconnected
Network connectivity lost
Disconnected from the network
uart:~$
uart:~$
uart:~$

Also worth noting: by taking the https_client sample's config as a 1-to-1 reference, we overflow by ~130kb (region `FLASH' overflowed by 138084 bytes). I assume this is to the more "generous" sizes in the example. Are they truly necessary?