Undefined mbedtls_ssl_* references when enabling CONFIG_NRF_SECURITY=y and CONFIG_BT=y (NCS v3.0.2)

Hi,

Can you describe your setup?

Which board did you build the sample for?

Can you show your build configuration, build command and provide complete build log?

When I enable the following configs:

CONFIG_NRF_SECURITY=y
CONFIG_BT=y

Have you added these Kconfigs manually? Where have you added these options to?

Best regards,
Dejan

I'm building for custom board, it's similar to nrf5340dk.
Build command: west build -b board_flex/nrf5340/cpuapp samples/net/sockets/http_client --pristine

Here's the updated prj.conf:

########################################
# 📄 Project Configuration - prj.conf
# Author: Usama Shafiq
# Created: 2025-08-11
# Description: prj.conf for FLEX project
########################################

########################################
# 🔌 Peripheral & Drivers
########################################
# CONFIG_SPI=y
# CONFIG_SPI_NRFX=y
# # CONFIG_NRFX_SPIM2=y
# CONFIG_CLOCK_CONTROL_NRF_K32SRC_XTAL=y
# # CONFIG_ADC=y
# CONFIG_SERIAL=y
# CONFIG_CONSOLE=y
# CONFIG_UART_CONSOLE=y
# CONFIG_REBOOT=y

########################################
# 🔋 Power Management
########################################
# CONFIG_PM_DEVICE=y
# CONFIG_SYS_CLOCK_EXISTS=y
# CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY=n

# ########################################
# # 📡 Bluetooth Configuration
# ########################################
# CONFIG_BT=y
# CONFIG_BT_PERIPHERAL=y
# CONFIG_BT_CENTRAL=y
# CONFIG_BT_SCAN=y
# CONFIG_BT_SCAN_FILTER_ENABLE=y
# CONFIG_BT_SCAN_UUID_CNT=10
# CONFIG_BT_SCAN_ADDRESS_CNT=10
# CONFIG_BT_SCAN_NAME_CNT=10
# CONFIG_BT_GATT_DM=y
# CONFIG_BT_GATT_CLIENT=y

# CONFIG_BT_DEVICE_NAME="SB Connect"
# # CONFIG_BT_DEVICE_NAME="SB PINPAD"
# CONFIG_BT_DEVICE_NAME_DYNAMIC=n
# CONFIG_BT_DEVICE_APPEARANCE=832
# CONFIG_BT_MAX_CONN=10
# CONFIG_BT_MAX_PAIRED=10
# CONFIG_BT_EXT_ADV=y

# CONFIG_BT_CONN_PARAM_UPDATE_TIMEOUT=10000
# CONFIG_BT_CONN_PARAM_RETRY_COUNT=6
# CONFIG_BT_CONN_PARAM_RETRY_TIMEOUT=10000
# CONFIG_BT_CREATE_CONN_TIMEOUT=10

# CONFIG_BT_L2CAP_TX_MTU=251
# CONFIG_BT_BUF_ACL_RX_SIZE=256
# CONFIG_BT_BUF_ACL_TX_SIZE=256
# CONFIG_BT_BUF_ACL_RX_COUNT=10
# CONFIG_BT_BUF_ACL_TX_COUNT=10
# CONFIG_BT_PHY_UPDATE=n

########################################
# 📱 Bluetooth DIS (Device Info Service)
########################################
# CONFIG_BT_DIS=y
# CONFIG_BT_DIS_PNP=n
# CONFIG_BT_DIS_FW_REV=y
# CONFIG_BT_DIS_FW_REV_STR="0.0.5"         
# CONFIG_BT_DIS_HW_REV=y
# CONFIG_BT_DIS_HW_REV_STR="1"

# ########################################
# # 💾 File System
# ########################################
# CONFIG_FILE_SYSTEM=y
# CONFIG_FILE_SYSTEM_LITTLEFS=y

########################################
# 🔑 Security & Crypto
########################################
CONFIG_NRF_SECURITY=y
CONFIG_CRYPTO=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_ENABLE_HEAP=y

CONFIG_PSA_CRYPTO_DRIVER_OBERON=y
# CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
CONFIG_PSA_WANT_ALG_SHA_256=y
CONFIG_PSA_WANT_RSA_KEY_SIZE_2048=y

########################################
# 🔄 MCUboot & DFU
########################################
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_MCUMGR=y
CONFIG_BT_DFU_SMP=y
CONFIG_MCUMGR_GRP_IMG=y
CONFIG_MCUMGR_GRP_OS_MCUMGR_PARAMS=y
CONFIG_MCUMGR_TRANSPORT_BT=y
CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW=n
CONFIG_MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL=y
CONFIG_MCUMGR_TRANSPORT_BT_REASSEMBLY=y
CONFIG_NCS_SAMPLE_MCUMGR_BT_OTA_DFU=y

########################################
# 💾 Flash & Settings
########################################
# CONFIG_FLASH=y
# CONFIG_FLASH_MAP=y
# CONFIG_FLASH_PAGE_LAYOUT=y
# CONFIG_SETTINGS=y
# CONFIG_IMG_MANAGER=y
# CONFIG_STREAM_FLASH=y
# CONFIG_NET_BUF=y
# CONFIG_ZCBOR=y

########################################
# ⚙️ System & Memory
########################################
CONFIG_THREAD_NAME=y
CONFIG_MAIN_STACK_SIZE=8192
CONFIG_HEAP_MEM_POOL_SIZE=20480 
# CONFIG_MBEDTLS_HEAP_SIZE=10240
CONFIG_MBEDTLS_HEAP_SIZE=16384
CONFIG_FS_LITTLEFS_FC_HEAP_SIZE=8192
CONFIG_BT_RX_STACK_SIZE=12288
CONFIG_BT_HCI_TX_STACK_SIZE=8192
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=12288

########################################
# 🔧 Utilities
########################################
CONFIG_BASE64=y
CONFIG_ASSERT=n


########################################
# ⏱️ Watchdog Timer
########################################
# CONFIG_LOG=y
# CONFIG_LOG_MODE_IMMEDIATE=y
# CONFIG_WDT_LOG_LEVEL_DBG=y
CONFIG_WATCHDOG=y
# CONFIG_WDT_DISABLE_AT_BOOT=n

CONFIG_BT_L2CAP_TX_BUF_COUNT=10
CONFIG_BT_CONN_TX_MAX=10

########################################
# 🌐 Enable followind to use Modem for connectivity
########################################

# CONFIG_USE_MODEM=y

########################################
# 🌐 Enable following to use LAN for connectivity
########################################
CONFIG_USE_LAN=y
CONFIG_NETWORKING=y
CONFIG_NET_IPV4=y
CONFIG_NET_IPV6=n
CONFIG_NET_ARP=y
CONFIG_NET_TCP=y
CONFIG_NET_UDP=y
CONFIG_NET_DHCPV4=y
CONFIG_NET_DHCPV4_OPTION_CALLBACKS=n
CONFIG_NET_L2_ETHERNET=y

CONFIG_NET_MGMT=y
CONFIG_NET_MGMT_EVENT=y

CONFIG_SLIP_STATISTICS=n

CONFIG_MDIO=y
CONFIG_MDIO_SHELL=n

CONFIG_ETH_W5500=y

CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_OFFLOAD=n
CONFIG_POSIX_API=y

# HTTP client
CONFIG_HTTP_CLIENT=y

CONFIG_NET_BUF_RX_COUNT=80
CONFIG_NET_BUF_TX_COUNT=80

# TLS configuration
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_BUILTIN=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=60000
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048

CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6

CONFIG_NORDIC_SECURITY_BACKEND=y

# Enable TLS client and server via Mbed TLS library
CONFIG_MBEDTLS_CIPHER=y

CONFIG_OPENTHREAD=n
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_SSL_CLI_C=y
CONFIG_MBEDTLS_SSL_SRV_C=y
# CONFIG_MBEDTLS_SSL_TLS_C=y
CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=y

# REQUIRED when NRF_SECURITY is enabled

CONFIG_MBEDTLS_ENTROPY_C=y
CONFIG_MBEDTLS_CTR_DRBG_C=y

# HTTP client sample requirements
CONFIG_HTTP_CLIENT=y

# Entropy / RNG (required for TLS)
CONFIG_ENTROPY_GENERATOR=y
CONFIG_TEST_RANDOM_GENERATOR=y

# Certificates
CONFIG_TLS_CREDENTIALS=y

# # Debug (optional but recommended)
# CONFIG_MBEDTLS_DEBUG=y
# # Make sure these are OFF
CONFIG_OPENTHREAD=n
CONFIG_NET_L2_OPENTHREAD=n

# Logging
# CONFIG_NET_LOG=y
# CONFIG_NET_HTTP_LOG_LEVEL_DBG=y
# CONFIG_NET_IPV4_LOG_LEVEL_DBG=y
# CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=y
# CONFIG_NET_IPV4_ND_LOG_LEVEL_DBG=y




# Networking core
CONFIG_NETWORKING=y
CONFIG_NET_L2_ETHERNET=y
CONFIG_NET_IPV4=y
CONFIG_NET_IPV6=n
CONFIG_NET_TCP=y

# DHCP
CONFIG_NET_DHCPV4=y
CONFIG_NET_DHCPV4_OPTION_CALLBACKS=y

# Ethernet
CONFIG_ETH_W5500=y

# Sockets (MANDATORY)
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_OFFLOAD=n
CONFIG_POSIX_API=y

# HTTP client
CONFIG_HTTP_CLIENT=y

# Logging
CONFIG_LOG=y
CONFIG_NET_LOG=y
CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=y
CONFIG_NET_HTTP_LOG_LEVEL_DBG=y

# Stack sizes (IMPORTANT for W5500)
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096

CONFIG_NET_BUF_RX_COUNT=80
CONFIG_NET_BUF_TX_COUNT=80

# TLS configuration
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_BUILTIN=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=60000
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048

CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6

CONFIG_BT=y
CONFIG_NRF_SECURITY=y

CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
# Enable TLS client and server via Mbed TLS library
CONFIG_MBEDTLS_CIPHER=y

CONFIG_OPENTHREAD=n
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_SSL_CLI_C=y
CONFIG_MBEDTLS_SSL_SRV_C=y
# CONFIG_MBEDTLS_SSL_TLS_C=y
CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=y



# MbedTLS and security
CONFIG_MBEDTLS=y
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=4096
CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=4096
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
CONFIG_MBEDTLS_HEAP_SIZE=32768
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_NORDIC_SECURITY_BACKEND=y
# CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
CONFIG_PSA_WANT_ALG_SHA_1=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
CONFIG_PSA_WANT_ECC_SECP_R1_384=y
# RSA requires that at least one key size is enabled
CONFIG_PSA_WANT_RSA_KEY_SIZE_1024=y
# Modem key management needs to be set to n, if not the certificate are provisioned to the modem
CONFIG_MODEM_KEY_MGMT=n



# REQUIRED when NRF_SECURITY is enabled
CONFIG_MBEDTLS_ENTROPY_C=y
CONFIG_MBEDTLS_CTR_DRBG_C=y

CONFIG_DNS_RESOLVER=y

CONFIG_NRF_SECURITY=y
CONFIG_BT=y

I have not added these Kconfigs manually, these are part of ncs 3.0.2.

I have made some progress on this, I can now build the project with the above prj.conf. The problem now is that the certificate parsing fails with this error: <err> net_sock_tls: Failed to parse CA certificate, err: -0x2180

I'm using the same cert provided in the sample code.

Hi,

The error code indicates MBEDTLS_ERR_X509_INVALID_FORMAT problem.

Haris Iqbal said:

I'm using the same cert provided in the sample code.

Which certificate is your application trying to parse? What is the location of the certificate?
Which CA certificate do you use?

Best regards.
Dejan