TLS Credential: cannot make Amazon root CA 2 and 4 to work

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

c.lancea — Tue, 15 Jul 2025 09:22:01 GMT

Hello,

No worries, indeed those config where necessary to reduce the heap size.
It now works and I better understand how can a tweak the config depending on our needs.
Thanks for your help.

Best regard,

Charles

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

Simonr — Fri, 11 Jul 2025 08:13:48 GMT

Hi again

Sorry, I meant to share the memory optimized .conf file here, but it seems I forgot to add the link in my last reply: https://github.com/nrfconnect/sdk-nrf/blob/main/samples/wifi/throughput/overlay-memory-optimized.conf

Mainly what's missing is CONFIG_NRF70_RX_NUM_BUFS. The default is 48, which would explain why you need the high heap size. It can be reduced with the following from the .conf file I now shared.

CONFIG_NET_PKT_TX_COUNT=6
CONFIG_NET_PKT_RX_COUNT=6
CONFIG_NET_BUF_TX_COUNT=12
CONFIG_NET_BUF_RX_COUNT=6
CONFIG_NRF70_RX_NUM_BUFS=6

Best regards,

Simon

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

c.lancea — Thu, 10 Jul 2025 14:32:47 GMT

Hello,

Thanks for the suggestion, however there must be some dependencies that I have missed to mention because anything less than 80000 on WIFI_DATA_HEAP_SIZE does not work.
When I say that I does not work, the device hang on boot, locked in "net_if_up" function, the function just never returns...
Here is my wifi configuration overlay:

# Wifi is nrf7002 based
CONFIG_WIFI=y
CONFIG_WIFI_NRF70=y
CONFIG_NRF70_AP_MODE=n
CONFIG_NRF70_P2P_MODE=n
CONFIG_NRF70_MAX_TX_PENDING_QLEN=12
CONFIG_NRF70_QSPI_LOW_POWER=y
CONFIG_NRF_WIFI_IF_AUTO_START=n
CONFIG_NRF_WIFI_LOW_POWER=y
CONFIG_NRF_WIFI_RPU_RECOVERY=y
CONFIG_WIFI_READY_LIB=y

# WPA supplicant
CONFIG_WIFI_NM_WPA_SUPPLICANT=y
CONFIG_WIFI_NM_WPA_SUPPLICANT_WEP=n
CONFIG_WIFI_NM_WPA_SUPPLICANT_NO_DEBUG=y

# Memory
# Must not be changed
CONFIG_HEAP_MEM_POOL_SIZE=40144
# Must not be changed 
CONFIG_NRF_WIFI_CTRL_HEAP_SIZE=20000
# This value can be changed depending on the wanted throughput of WiFi
CONFIG_NRF_WIFI_DATA_HEAP_SIZE=89000

# Networking
CONFIG_NETWORKING=y
CONFIG_NET_SOCKETS=y
CONFIG_POSIX_API=y
CONFIG_NET_IPV4=y
CONFIG_NET_UDP=y
CONFIG_NET_TCP=y
CONFIG_NET_DHCPV4=y
CONFIG_NET_CONFIG_SETTINGS=n
# CONFIG_NET_CONFIG_INIT_TIMEOUT=0
# CONFIG_NET_CONFIG_AUTO_INIT=n


CONFIG_NET_NATIVE=y
CONFIG_DNS_RESOLVER=y

# Need 16 FDs for WiFi
CONFIG_POSIX_MAX_FDS=32
CONFIG_NET_IPV6=y


# Net Management
CONFIG_NET_L2_ETHERNET=y # This is mandatory even for WIFI 
CONFIG_NET_L2_WIFI_MGMT=y
CONFIG_NET_MGMT_EVENT=y
CONFIG_NET_L2_ETHERNET_MGMT=y
CONFIG_NET_MAX_CONTEXTS=4
CONFIG_NET_SOCKETS_OFFLOAD=n

CONFIG_NET_MGMT_EVENT_QUEUE_TIMEOUT=5000

Is there anything, that could cause this higher memory requirement ?
Also, if I can boot up the device and make it communicate properly with 90000, will it still be the case after multiple net_if_up/net_if_down or if the network configuration changes ?

Thank you for your help

Have a nice day,

Charles

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

Simonr — Thu, 10 Jul 2025 05:34:46 GMT

Hi again

Here's a suggested memory optimization overlay from our developers. For reference, setting the heap_size config to 25000 with this configuration should be sufficient for your requirement and cover up to 1Mbps throughput.

Best regards,

Simon

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

c.lancea — Mon, 07 Jul 2025 13:00:26 GMT

Hi !

I would say the maximum that we use for now is around 0.5 Mbps.
We could make use of 1 Mbps in some case scenario.

Could you give me suggestion for both of those value ?

Thank you

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

Simonr — Fri, 04 Jul 2025 09:16:01 GMT

Hi Charles

I spoke to the developer today, and the main dependency for WIFI_DATA_HEAP_SIZE depends on the throughput requirements of your application, so can you share some details on what throughput numbers you need/would like to see in your application, and we can come back with some suggestions for HEAP_SIZE

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

c.lancea — Thu, 03 Jul 2025 07:57:34 GMT

Hello,

Thank you for your answers.

Indeed, I would like to know more about the recommendation for our use case, we use scan mode and station mode with WPA2, WPA2_256 and WPA3 security supported, also if relevant we use any link mode from WiFi4 to WiFi6.

Best regards,

Charles

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

Simonr — Thu, 03 Jul 2025 07:38:31 GMT

Yes, it should be fine to manually set the CONFIG_MBEDTLS_MPI_MAX_SIZE, as it only have 256 and 384 as defaults if the CC310/312 backends are set.
mbedtls will only provide a runtime error if not enough memory is located, so trial and error is the way to go.
8000 should be sufficient if the application only does scanning, but other than that there aren't really any recommended minimum values here. If you'd like I can ask the developers, but could you share what Wi-Fi features you're using, as generic numbers will vary a lot depending on what features are used exactly.

Best regards,

Simon

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

c.lancea — Wed, 02 Jul 2025 08:49:29 GMT

Hello,

I finally managed to make Amazon Root CA 2 work, but I still have some trouble with root CA 4.
However, I have a few question about the kConfig that I had to enable/modify.
Here is the list I had to add, note that I'm now using NCS 3.0.2.

CONFIG_MBEDTLS_HEAP_SIZE=85000

# Another way to set this ? 
CONFIG_MBEDTLS_MPI_MAX_SIZE=1024

# new 
CONFIG_NRF_SECURITY=y
CONFIG_PSA_CRYPTO_DRIVER_OBERON=y
CONFIG_PSA_WANT_ALG_SHA_384=y
CONFIG_PSA_WANT_RSA_KEY_SIZE_4096=y

# Required RSA and SHA algorithms
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
CONFIG_PSA_WANT_ALG_RSA_PSS=y
CONFIG_PSA_WANT_ALG_RSA_PSS_ANY_SALT=y
CONFIG_PSA_WANT_ALG_SHA_256=y

# ECDSA
CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY=y
CONFIG_PSA_WANT_ALG_ECDSA=y
CONFIG_PSA_WANT_ALG_ECDSA_ANY=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y

I figured that I had to increase CONFIG_MBEDTLS_MPI_MAX_SIZE to 1024 otherwise the default value of 256 is not enough for MBEDTLS to parse the certificate. Is this the proper way of doing this ? Is there another config that I should use, instead of this one that is never mentioned in example code ?
I had to increase CONFIG_MBEDTLS_HEAP_SIZE from ~60k to 85k. Is there a way to be sure about this value other than trial and error ?
Also since we use many feature from NCS, our program is pretty RAM hungry, I had to decrease CONFIG_NRF_WIFI_DATA_HEAP_SIZE to 90k cf:

# Memory
CONFIG_HEAP_MEM_POOL_SIZE=40144
CONFIG_NRF_WIFI_CTRL_HEAP_SIZE=20000
CONFIG_NRF_WIFI_DATA_HEAP_SIZE=90000

Is there a minimum value to ensure that the wifi stack will be working properly ?

Thank you for your time

Best regard,

Charles

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

Simonr — Tue, 24 Jun 2025 09:31:17 GMT

Ah, okay, so the SHA384 is the "main" difference then. Sorry I missed that initially. We don't have a specific sample project for using the SHA384 hash, but it should be supported. However, note that it's not supported by the Cryptocell (3xx) driver, so you will need to use the nrf-oberon driver instead. https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/security/crypto/drivers.html#crypto-drivers-oberon

Best regards,

Simon

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

c.lancea — Mon, 23 Jun 2025 09:15:59 GMT

Hello,

Using openssl I found the following result:

Amazon Root CA 1 : "sha256WithRSAEncryption" and 2048 bit public key

Amazon Root CA 2 : "sha384WithRSAEncryption" and a 4096 bit public key

Amazon Root CA 3 : "ecdsa-with-SHA256" and a 256 bit public key

Amazon Root CA 4 : "ecdsa-with-SHA384" and a 384 bit public key

I have tried enabling some config related to sha384, 4096 bit public key and ECDSA in addition to those described in the first post but without success:

CONFIG_PSA_WANT_RSA_KEY_SIZE_4096=y
CONFIG_PSA_WANT_ALG_SHA3_384=y

# ECC
CONFIG_PSA_WANT_ALG_ECDH=y
CONFIG_PSA_WANT_ALG_ECDSA=y
CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA=y

CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y

# ECC curves
CONFIG_PSA_WANT_ECC_MONTGOMERY_255=y
CONFIG_PSA_WANT_ECC_TWISTED_EDWARDS_255=y
CONFIG_PSA_WANT_ECC_SECP_R1_224=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y
CONFIG_PSA_WANT_ECC_SECP_R1_384=y

I dived deeper in the code to see where the error comes from, the -22 error is thrown by "tls_mbedtls_set_credentials"

Hope this helps, please tell me if you need more information.

Best regards,
Charles

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

Simonr — Mon, 23 Jun 2025 07:40:48 GMT

Hi again

I don't know the specific differences between Amazons Root certificates, so the first step here would be to find what the differences between these are, and then we can try finding out what configs are necessary to change here.

Best regards,

Simon

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

c.lancea — Fri, 20 Jun 2025 12:37:17 GMT

Hello,

Indeed I suspected that those certificates would require different kConfig options but I have not yet found a combination that would make them at least not throw an "invalid argument' error. That is why I'm asking if is there any documentation or code example that could help us make those certificate work ?

Also, the issue I have with those certificate is the same if I put all four certificate, my socket openning fail with a -22 error before even trying to reach the server even though it has at least one working certificate that I have validated with our server (Amazon root CA 1 and 3).

Best regard,

Charles

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

Simonr — Fri, 20 Jun 2025 12:20:02 GMT

Okay, had a chat with a couple colleauges about this, and typically, differenc certs have different cryptographic/curves and thus require different kConfig options. Also, a domain name is signed with a given chain, and at the top, a CA root. It's not expected to work to just change the root CA and keep the domain name the same.

Best regards,

Simon

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

c.lancea — Thu, 19 Jun 2025 14:00:38 GMT

Hello,

Yes I am reffering to this lesson, but I am actually testing within our project that is why I posted the .conf we use for wifi/http/tls.

What I mean by "replacing the Amazon Root CA" is that the tls socket opening works perfecty when using both Amazon Root CA 1 and 3. But if I use any combinaison of certificates containing Amazon root CA 2 and 4 the tls socket opening will fail with a -22 error.
Those certificate come from the "Amazon trust services repository" and are converted to a header using the same script that we use for Root CA 1 and 3 which works.

I have already verified that the data in the header is similar to each .pem before conversion.

What I was wondering is if any exemple exist where certificate that uses SHA384 are working, or If you could help us with our .conf to make it work.

RE: TLS Credential: cannot make Amazon root CA 2 and 4 to work

Simonr — Thu, 19 Jun 2025 13:23:00 GMT

I assume you're referring to the lesson 5, exercise 2 project in DevAcademy here, correct? Can you explain what you mean by "replacing the Amazon Root CA"? Error message -22 points to there being an invalid argument somewhere, so can you confirm the certificate you replace it with is a valid replacement?

Best regards,

Simon