• State Not Answered
  • Replies 10 replies
  • Subscribers 75 subscribers
  • Views 139 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 345781
Options

Enabling the TLS layer to get a HTTPS connection going.

Tudor B.

7343.nrf7002dk_nrf5340_cpuapp_ns.conf3124.prj.confHello everyone.

WE're trying to make a https connection with google.com and execute a GET request.

Wifi connection is working; DHCP seems to be working (my personal assumption given the log message we get: "Resolved: [(1, 1, 6, '', ('142.250.201.206', 443))]" which indicates that getaddrinfo() works); but when trying to initiate the socket via TLS, something strange happens: we get the error "OSError: 109".

Inserting some debug prints inside subsys/net/lib/sockets/, we found the culprit to be the function "int zsock_setsockopt_ctx(struct net_context *ctx, int level, int optnameconst void *optval, socklen_t optlen)".

The function call that triggers error 109 is:  res = setsockopt(socket->ctx, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify));

No matter what other option we try to set via setsockopt(), it will fail with the 109 error since the implementation for setsockopt() is somehow set to sockets_inet.c (whose implementation does not recognise SOL_TLS as a valid in its switches) instead of sockets_tls.c (which has handling for SOL_TLS in its switches). My personal hunch is that the config options set in the project are somehow wrong. Can someone please take a look over our .conf files? Maybe we can find the culprit. :)

We can provide any extra code snippets that are necessary for debugging and/ or run any tests. Have a great day and hope to hear from you soon!

Parents
  • 0

    Hi,

     

    I used net/https_client for this exercise.

    You need to download r1.pem from here: https://pki.goog/repository/

     

    Place this in certs/ folder, and make sure that you change the file in CMakeLists.txt, change the domain in kconfig, and add the required configurations in the board .conf file:

    diff --git a/samples/net/https_client/CMakeLists.txt b/samples/net/https_client/CMakeLists.txt
index 2a937786ed..39276fd2e2 100644
--- a/samples/net/https_client/CMakeLists.txt
+++ b/samples/net/https_client/CMakeLists.txt
@@ -14,7 +14,7 @@ set(gen_dir ${CMAKE_CURRENT_BINARY_DIR}/certs)
 zephyr_include_directories(${gen_dir})
 generate_inc_file_for_target(
     app
-    cert/DigiCertGlobalG2.pem
+    cert/r1.pem
     ${gen_dir}/DigiCertGlobalG2.pem.inc
     )
 
diff --git a/samples/net/https_client/Kconfig b/samples/net/https_client/Kconfig
index 90ad33f42e..bb22e82794 100644
--- a/samples/net/https_client/Kconfig
+++ b/samples/net/https_client/Kconfig
@@ -15,7 +15,7 @@ config SAMPLE_TFM_MBEDTLS
 
 config HTTPS_HOSTNAME
        string "HTTPS hostname"
-       default "example.com"
+       default "google.com"
 
 endmenu
 
diff --git a/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf b/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf
index 9eb362cb16..8366313af8 100644
--- a/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf
+++ b/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf
@@ -69,3 +69,20 @@ CONFIG_MBEDTLS_TLS_LIBRARY=y
 CONFIG_TFM_PROFILE_TYPE_SMALL=y
 CONFIG_PM_PARTITION_SIZE_TFM_SRAM=0xc000
 CONFIG_PM_PARTITION_SIZE_TFM=0x20000
+
+CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
+CONFIG_MBEDTLS_SSL_RENEGOTIATION=y
+CONFIG_MBEDTLS_SSL_MAX_FRAGMENT_LENGTH=y
+CONFIG_MBEDTLS_SSL_SESSION_TICKETS=y
+CONFIG_PSA_WANT_RSA_KEY_SIZE_4096=y
+CONFIG_MBEDTLS_MPI_MAX_SIZE=512
+
+CONFIG_LOG=y
+CONFIG_MBEDTLS_DEBUG=y
+CONFIG_MBEDTLS_SSL_DEBUG_ALL=y
+CONFIG_MBEDTLS_LOG_LEVEL_DBG=y
+CONFIG_MBEDTLS_DEBUG_C=y
+CONFIG_MBEDTLS_DEBUG_LEVEL=4
+# Handle the large influx of prints
+CONFIG_LOG_BUFFER_SIZE=16384
+CONFIG_LOG_BACKEND_UART=y

    I also need to add CONFIG_NET_IPV6=n due to a local network issue at my end.

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    There are many options and suboptions in the link you sent me. Which one is the correct one?

    When attempting to get it working, I got r1.der and then created r1.der.inc. But I'm not sure which option I chose.

  • 0 in reply to Håkon Alseth

    Thank you! Sadly, when I add those config options, I get a DNS error:
    DNS Error: 536969132

    Without them, DNS successfully resolves google.com:
    Resolved: [(1, 1, 6, '', ('142.250.180.206', 443))]

  • 0 in reply to Tudor B.

    Hi,

     

    Could you try with https_client first, to see if this works there?

    Add the cmd's (assuming WPA2) to store your SSID like this:

    wifi_cred add -s SSID -k 1 -p PASSWORD
wifi_cred auto_connect

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hey there Håkon,

    I tried those commands, but I had to alter them a bit to get them to work on SDK v3.0.0. More specifically:
    wifi cred add -s SSID -k 1 -p PASSWORD
    wifi cred auto_connect

    Also, this is my log from running them:

    uart:~$ wifi cred auto_connect
uart:~$
uart:~$
uart:~$
uart:~$
uart:~$
--- 50 messages dropped ---
00 00 --- 67 messages dropped ---
01 17 00 04 17 d7 00 8a c0 0c 00 01 00 01 00 00 00 f7 00 10 26 00 14 06 3a 00 00 21 00 00 00 00 17 3e 2e 65 c0 0c 00 1c 00 01 00
uart:~$
Sent 61 bytes
Received 318 bytes

> HTTP/1.1 200 OK

Finished, closing socket.
Disconnected
Network connectivity lost
Disconnected from the network
uart:~$
uart:~$
uart:~$

  • 0 in reply to Håkon Alseth

    Also worth noting: by taking the https_client sample's config as a 1-to-1 reference, we overflow by ~130kb (region `FLASH' overflowed by 138084 bytes). I assume this is to the more "generous" sizes in the example. Are they truly necessary?

  • 0 in reply to Tudor B.

    Hi,

     

    Tudor B. said:
    we overflow by ~130kb (region `FLASH' overflowed by 138084 bytes).

    I am not sure what you enable in your build, but it should not overflow if using one of the supported boards, ie. nrf7002dk/nrf5340/cpuapp/ns for instance.

    Additional mbedtls debug logs can safely be disabled, but is useful if debugging why you cannot connect to a given domain.

     

    Tudor B. said:

    I tried those commands, but I had to alter them a bit to get them to work on SDK v3.0.0. More specifically:
    wifi cred add -s SSID -k 1 -p PASSWORD
    wifi cred auto_connect

    Also, this is my log from running them:

    Your log shows a successful connection to google:

    Sent 61 bytes
Received 318 bytes

> HTTP/1.1 200 OK

Finished, closing so

     

    Kind regards,

    Håkon

Reply
  • 0 in reply to Tudor B.

    Hi,

     

    Tudor B. said:
    we overflow by ~130kb (region `FLASH' overflowed by 138084 bytes).

    I am not sure what you enable in your build, but it should not overflow if using one of the supported boards, ie. nrf7002dk/nrf5340/cpuapp/ns for instance.

    Additional mbedtls debug logs can safely be disabled, but is useful if debugging why you cannot connect to a given domain.

     

    Tudor B. said:

    I tried those commands, but I had to alter them a bit to get them to work on SDK v3.0.0. More specifically:
    wifi cred add -s SSID -k 1 -p PASSWORD
    wifi cred auto_connect

    Also, this is my log from running them:

    Your log shows a successful connection to google:

    Sent 61 bytes
Received 318 bytes

> HTTP/1.1 200 OK

Finished, closing so

     

    Kind regards,

    Håkon

Children
  • 0 in reply to Håkon Alseth
    Håkon Alseth said:
    Your log shows a successful connection to google:

    Yes, it worked; what I wanted to point out was that the commands you provided don't work, but need to be edited like I mentioned. Trying your commands without any alterations produces:

    uart:~$ wifi_cred add -s TP-Link_7474 -k 1 -p 55920322
wifi_cred: command not found
uart:~$ wifi_cred auto_connect
wifi_cred: command not found
uart:~$

    Håkon Alseth said:
    I am not sure what you enable in your build, but it should not overflow if using one of the supported boards, ie. nrf7002dk/nrf5340/cpuapp/ns for instance.

    We're using that configuration specifically. But we're also trying to integrate micropython. To have a full stack WiFi (STA, AP mode, HTTPS socket connection) and micropython itself required that we use "CONFIG_TFM_PROFILE_TYPE_MINIMAL=y", which reduces it's ROM and RAM footprint to 32kb each.

    Regarding what exactly is configured in the project: I've attached the prj.conf and the board.conf files to this post. I can attach any other necessary file that you deem useful.

    Is it possible to have a call via Teams/ Google Meet/ etc.? I'm sure the problem would be solved way faster. ;)

    Edit: while building I luckily saw this interesting warning:

    Restore: CONFIG_MBEDTLS_THREADING_ALT: False
=========== End psa_crypto_library_config ===============
-- Using ccache: /opt/homebrew/bin/ccache
CMake Warning at /opt/nordic/ncs/v3.0.0/zephyr/CMakeLists.txt:1002 (message):
  No SOURCES given to Zephyr library:
  ..__nrf__subsys__net__lib__tls_credentials

  Excluding target from build.


-- Found Python3: /opt/homebrew/bin/python3 (found version "3.13.3") found components: Interpreter
-- Configuring done (8.1s)
-- Generating done (0.7s)
-- Build files have been written to: /Users/tudor/Documents/GitHub/micropython_nRF/ports/zephyr/build/zephyr
-- Configuring done (13.0s)
-- Generating done (0.0s)

    Could this contribute to what we're suspecting as being the main issue?: the fact that sockets_inet.c is selected when building instead of sockets_tls.c.

Related
Terms of service