nRF91 How to use Google's primary and backup root CA on the modem?

Currently, a huge portion of the support team (including many of the experts on nRF9160) is on summer vacation, and you may experience delayed answers. My apologies for that.

I will try to provide you with an answer within this week.

Best regards,

Simon

Hi Simon,

update: The different root CAs should come to different sec_tags installed on the modem and that sec_tags must be referenced from the application software. That's clear me now.

But I have a problem when I try to verify the peer in the TLS connection:

struct mqtt_sec_config *tls_config =  &client->transport.tls.config;
tls_config->peer_verify = MQTT_TRANSPORT_SECURE;

results in EOPNOTSUPP 95 (Operation not supported on socket)

When I use

tls_config->peer_verify = TLS_PEER_VERIFY_NONE;

I can connect.

The peer verification works on Amazon with its sha256WithRSAEncryption signature. Google's signature for mqtt.2030.ltsapis.goog is an ecdsa-with-SHA256 signature. 

Is that not supported?

Is this a bug in the modem software?

I use the latest one (mfw_nrf9160_1.2.0.zip).

With best regards,

Árpád

Hi Simon,

thank you.

Best regards,

Árpád

Hi.

Modem firmware version 1.2.1, which has support for SNI has just been released.

https://www.nordicsemi.com/Software-and-tools/Development-Kits/nRF9160-DK/Download#infotabs

Best regards,

Didrik

Hi Didrik,

thank you for your answer and sorry for my late one. I will try it.

Best regards,

Árpád

Hi there Arpad,

Were you ever able to get the LTS version of Google IoT Core (using mqtt.2030.ltsapis.goog using the primary and backup certs) working with Modem firmware version 1.2.1?

I have tried and have been unsuccessful, and was suspecting that the modem firmware doesn't support the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite.

mike-at-currant said:

I have tried and have been unsuccessful, and was suspecting that the modem firmware doesn't support the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite.

Google Cloud recently changed their list of supported cipher suites. As their new list of supported suites aren't supported by our older modem firmware versions, they can no longer be used together with Google Cloud.

However, we have added support for some GCM cipher suites in modem firmware 1.3.1.

mike-at-currant said:

I have tried and have been unsuccessful, and was suspecting that the modem firmware doesn't support the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite.

Google Cloud recently changed their list of supported cipher suites. As their new list of supported suites aren't supported by our older modem firmware versions, they can no longer be used together with Google Cloud.

However, we have added support for some GCM cipher suites in modem firmware 1.3.1.

Great news - thanks for the update, it's much appreciated!  I did set CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y in the config, and noticed that TLS_PEER_VERIFY_REQUIRED still didn't work.

We'll set TLS_PEER_VERIFY_NONE until we can update to firmware 1.3.1.