This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

NRF9160 Unable to disable certificate validation when connecting to https

Hi all!
Since I do not have a system for updating the certificate when changing the server, I decided to disable certificate verification when connecting to the https server. Here is the code:

Fullscreen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
static int tls_setup(int fd, const char * _addr)
{
/* Set up TLS peer verification */
enum {
NONE = 0,
OPTIONAL = 1,
REQUIRED = 2,
};
int verify = NONE;
int err = setsockopt(fd, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify));
if (err) {
LOG_ERR("Failed to setup peer verification, err %d", errno);
return err;
}
return 0;
}
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Since the certificate is not needed I do not execute the cert_provision function.
Here is the server connection code:

Fullscreen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
bool net_connect(const char * _addr, uint16_t _port, Socket_t * _out_socket, struct addrinfo **_out_addrinfo)
{
int err;
err = getaddrinfo(_addr, NULL, &m_Hints, _out_addrinfo);
if (err) {
LOG_ERR("getaddrinfo() failed, err %d", errno);
return false;
}
((struct sockaddr_in *)(*_out_addrinfo)->ai_addr)->sin_port = htons(_port);
*_out_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TLS_1_2);
if (*_out_socket == -1) {
LOG_ERR("Failed to open socket!");
clean_up(*_out_socket, _out_addrinfo);
return false;
}
/* Setup TLS socket options */
err = tls_setup(*_out_socket, _addr);
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I end up getting "connect() failed, err: 95" when I try to connect to the server.

I also noticed one feature, on the nrf9160 into which I previously downloaded the certificate, the connection is successful. However, on the new (clean) nrf9160 I get the error "connect() failed, err: 95". It seems that the certificate remains in the modem and therefore on the old nrf9160 I can connect but not on the new one.

As a result, it is not clear how to work without knowing the CA certificate. 
Thanks!