This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nrf91_socket_offload_connect() fails when nrf_connect() is called for a TLS connection

The IP mode is IPv4. 

1. The hostname resolves to IP address. The resolved IP address is correct (verified with a nslookup command separately).

2. setsockopt(fd, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify)); is called successfully (no error returned). verify is set to NONE

3. setsockopt(fd, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list, sizeof(sec_tag_t) * ARRAY_SIZE(sec_tag_list)); is called successfully (no error returned). sec_tag_list is initialized to { 1 }.

4. connect() returns error. Looking deeper, nrf91_connect() (in nrf/lib/bsdlib/nrf91_sockets.c::nrf91_socket_offload_connect() ) returns error -1.

I am not able to debug further than this as code is not available for bsdlibrary.

May be relevant or may be not. The port I am using is a 6443 instead of 443. I set it properly in resolve_and_connect() method.

        proto = IPPROTO_TLS_1_2;

        port = htons(6443);

Note: I started off with http_download_update application.

  • Hi,

     

     

    2. setsockopt(fd, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify)); is called successfully (no error returned). verify is set to NONE

     This means do not verify the hostname (don't check the domain name with CA certificates), that should be OK.

    3. setsockopt(fd, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list, sizeof(sec_tag_t) * ARRAY_SIZE(sec_tag_list)); is called successfully (no error returned). sec_tag_list is initialized to { 1 }.

     This points to the certificates (private and public key, and optional; CA) should reside on the sec_tag '1'. Have you loaded your certificates into this sec_tag?

    If you first load at_client into your device, you can use the "Certificate manager" in LTE Link monitor to load the certs:

     

    If it gives an error when writing, please reset the board; as you cannot write certs while the modem is active.

     

    4. connect() returns error. Looking deeper, nrf91_connect() (in nrf/lib/bsdlib/nrf91_sockets.c::nrf91_socket_offload_connect() ) returns error -1.

    -1 means that the call itself has failed. If you print errno (printk("errno:%d\n", errno);) it should give a more detailed error return.

     

    Kind regards,

    Håkon

  • Thank you for the reply!

    I have added certificates already. In fact, I add it on every boot with nrf_inbuilt_key_delete() and nrf_inbuilt_key_write() calls.

    Key Pair and Public Key Certificate are generated using the following command:

    # openssl req -newkey rsa:4096 -nodes -keyout domain.key -x509 -days 365 -out domain.crt

    I added errno to the log and nrf91_connect() returns 22 (NRF_EINVAL).

    Thanks,

  • Could you show the socket setup prior to the connect() call? Getting EINVAL back is a typical error if the setup is not aligned towards the protocol you're trying to use.

     

    Kind regards,

    Håkon

  • It was the host that had the problem. I am able to connect with other sites.

    Appreciate your help :-)

Related