https_client sample:

Hi!

We don't support SNI yet, so you can't connect with hostname verification enabled. So when setting up TLS peer verification in main.c, make sure verify is NONE and not REQUIRED. 

As for the AT command issues, just follow Martin's recommendation to you in this ticket.

You're saying that https://github.com/nrfconnect/sdk-nrf/blob/master/samples/nrf9160/https_client/src/main.c#L122 is unsupported and causing the error I'm seeing?

Since that line has been unaltered since the https_client sample was first committed, does that mean that the https_client sample has never worked for anyone without modification?

You're saying that https://github.com/nrfconnect/sdk-nrf/blob/master/samples/nrf9160/https_client/src/main.c#L122 is unsupported and causing the error I'm seeing?

Since that line has been unaltered since the https_client sample was first committed, does that mean that the https_client sample has never worked for anyone without modification?

No, I suppose it hasn't worked for anyone connecting to a hostname that has numerous hostnames with the same IP. 

Setting verify = NONE does seem to allow it to connect, but does this mean that it'll happily send data to any server that offers a https certificate signed by the provided CA even if it's the wrong host?

What precisely is being verified by this verify setting?

I tried using openssl s_client -noservername -connect www.baidu.cn:443 --showcerts and it printed out the same certificate, so apparently this host doesn't require SNI.

I also tried against a server I control which doesn't support SNI and only has a single certificate, and it also gave me error 45 with verify = REQUIRE, so apparently SNI isn't the problem here.

Hi, so SNI support will be present in MFW 1.2.1, and its release is right around the corner. 

However, I had some colleagues take a look at your case, and you might be correct in that SNI isn't the problem. It seems that  www.baidu.cn  and baidu.cn by different CA entities, with different entries in the CN andsubjectAltName field. You could try to add/remove www and see what happens (adding www worked in our testing with GlobalSign CA). 

We're not sure what's going on, and to get a complete picture we would need to know which hostname you're using, which certificates are being used and a modem trace. 

I've found some further info :-

Apparently the modem will only accept the top-level root certificate, it doesn't seem to like intermediate certificates at all.
Is this documented somewhere?

With the certificates fixed, error 45 seems to remain as a random transient error - out of 15 tests I had 5 failures with error 45 and 10 successes (in no particular order) with only nrfjprog -r between each run.
I had similar results in an area with -85dB of signal (according to my phone) rather than the -104dB reported at my desk, and connecting to LTE seems to mostly succeed in ~15s, so apparently it's not an LTE signal strength issue.
(with a code snippet modified from https://devzone.nordicsemi.com/f/nordic-q-a/49966/reading-signal-strength-in-firmware-nrf91/199273#199273 the 9160dk reports slightly better signal than my phone)

If I try to re-connect after a connection failure without resetting (ie do { err = connect(...) } while (err);), the connect() call fails instantly with error 45.
getaddrinfo() also seems to fail instantly if re-called in the same fashion.
How much of the networking library needs to be reinitialized after a connect() failure for me to be able to retry the connection?
Is that documented somewhere?
Is this a bug in bsdlib, since connect() doesn't invalidate the socket on other POSIX systems, and man connect explicitly states that connect() can be re-run on an existing socket?
Should I make a separate thread about this?

Log:

[Wed Aug 26 19:03:21 2020] *** Booting Zephyr OS build v2.3.0-rc1-ncs1-1451-gb160c8c5caa5 ***
[Wed Aug 26 19:03:21 2020] HTTPS client sample started
[Wed Aug 26 19:03:22 2020] Provisioning certificate..
[Wed Aug 26 19:03:22 2020] Provisioned
[Wed Aug 26 19:03:22 2020] Waiting for network...
[Wed Aug 26 19:03:37 2020] Connected
[Wed Aug 26 19:03:37 2020] RSSI: -101 dBm
[Wed Aug 26 19:03:37 2020] Looking up www.baidu.com
[Wed Aug 26 19:03:39 2020] Connecting to www.baidu.com
[Wed Aug 26 19:06:25 2020] connect() failed, err -1 errno 22
[Wed Aug 26 19:06:25 2020] connect() failed, err -1 errno 45
[Wed Aug 26 19:06:25 2020] connect() failed, err -1 errno 45
[Wed Aug 26 19:06:25 2020] connect() failed, err -1 errno 45
[Wed Aug 26 19:06:25 2020] connect() failed, err -1 errno 45
[Wed Aug 26 19:06:25 2020] connect() failed, err -1 errno 45
[Wed Aug 26 19:06:25 2020] connect() failed, err -1 errno 45
[Wed Aug 26 19:06:25 2020] connect() failed, err -1 errno 45
[Wed Aug 26 19:06:25 2020] connect() failed, err -1 errno 45
[Wed Aug 26 19:06:25 2020] connect() failed, err -1 errno 45
[Wed Aug 26 19:06:25 2020] connect() failed, err -1 errno 45
[Wed Aug 26 19:06:25 2020] connect() failed, err -1 errno 45

I will investigate how to capture a modem trace and get back to you with that.

PS: connect() seems to take 1-3 minutes, is there any way to speed that up, or at least profile which stages of the connect process are taking most of the time?

Hi, 

If connect() fails, consider the state of the socket as unspecified. Portable  applications
should close the socket and create a new one for reconnecting.

Triffid_Hunter said:

I will investigate how to capture a modem trace and get back to you with that.

PS: connect() seems to take 1-3 minutes, is there any way to speed that up, or at least profile which stages of the connect process are taking most of the time?

connect() blocking for 1-3 minutes is a long time. We really need a modem trace of this situation to be able to help you further with this issue.

Let me know if there's anything I can do to help you capture a modem trace. 

Best regards,

Heidi