This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Enable mbedTLS debug output for Nordic security backend

Alan Low over 5 years ago

Hi,

I am trying to use the Nordic security backend support from nrf Connect SDK to connect to HTTP and MQTT with TLS.

Below are my steps:

1) do certificate provisioning (client private key, client public cert and server CA cert).

2) Resolve hostname and get the IPv4 address.

3) Create TLS socket and set the following options:

- peer verify = 1 (optional)

- TLS security tag

- TLS hostname

4) Connect to the server using "connect()".

However the connect() return -45 which from the errno.h is EOPNOTSUPP (Operation not supported on socket).

Is it possible to turn on the mbedTLS debug print via mbedtls_debug_set_threshold() function so that I can investigate which part of the TLS handshaking goes wrong?

0 Martin Lesund over 5 years ago
Hello Alan,

Please make sure you are using the latest modem firmware version: v1.1.1

Please make sure to update NCS to v1.2.0:

cd ncs/nrf git checkout master git pull git checkout v1.2.0 west update

Have you seen the blog: "Enabling and testing TLS in mqtt_simple" ?
It should give you some good pointers on how you could do this.

Best regards,

Martin L.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Alan Low over 5 years ago in reply to Martin Lesund

Hi Martin,

My client private key required passphase to decrypt.

1) Can the v1.2.0 BSD TLS socket API support on this?

2) If cannot support than how can I proceed on doing this using nrf connect SDK?

3) If I enable mbedTLS support, I might need a big heap memory as the signature and ciphersuite is using SHA384 (4096 bits) but I notice that the maximum size to CONFIG_HEAP_MEM_POOL_SIZE is only 16K?

Any advise would be appreciated.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Martin Lesund over 5 years ago in reply to Alan Low

Hi Alan,
I'm not 100% sure if I understand what you are trying to do, but it sounds like this is something that you can achieve using Security Tags
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Alan Low over 5 years ago in reply to Martin Lesund

Hi Martin,

Does Nordic bsdlib TLS socket API support "Server Name Indication (SNI)" ?

If yes how to enable it?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Martin Lesund over 5 years ago in reply to Alan Low

Hi Alan,
I am very sorry for the delay!
I've somehow lost track of this case.

To answer your question, we do not have support for SNI yet.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel