NRF9160 Unable to disable certificate validation when connecting to https

RE: NRF9160 Unable to disable certificate validation when connecting to https

Didrik Rokhaug — Fri, 20 Nov 2020 15:35:34 GMT

Hi, and sorry for being slow to reply.

I tested, myself, and it worked as it should when I tested with google.com:443 and AWS's root certificate. As expected, I was not able to connect to Google when I required peer verification, but I was able to connect when I disabled it.

I then tried www.integrasources.com:443, and was not able to connect, same as you.

However, running it through SSLabs, I see that integrasources.com does not support any of the cipher suites supported by the nRF9160. That is why we were not able to connect, not the peer verification.

You can find a list over which cipher suites we support here: https://www.nordicsemi.com/Software-and-tools/Prototyping-platforms/Nordic-Thingy-91/Download#infotabs

RE: NRF9160 Unable to disable certificate validation when connecting to https

Yury Morgunov — Tue, 17 Nov 2020 12:48:13 GMT

Error code remains the same 95

#define EOPNOTSUPP 95 / * Operation not supported on socket * /

When testing, I used GlobalSign-Root-CA-R2 which is located in the folder with the example

Unfortunately now it is difficult to get trace log from the modem since I am using my board. The NRF9160 DK is currently not available.

If it's not difficult for you, try connecting for example to https://www.integrasources.com

RE: NRF9160 Unable to disable certificate validation when connecting to https

Didrik Rokhaug — Thu, 12 Nov 2020 14:30:13 GMT

[quote user="Yury Morgunov"]if this certificate expires, will the connection still work?[/quote]

Yes, it should. You can easily test this by writing a wrong certificate to the modem, e.g. Google's, AWS's, one you create yourself. You should still be able to connect to your server.

[quote user="Yury Morgunov"]I disable peer verification and download the CA certificate. Then I connect to the domain first.example.com, but I cannot connect to example.com. At the same time, first.example.com and example.com have certificates from letsencrypt. Why is that?[/quote]

What error code do you get?

Still connect() failed with -95?

Do you have any logs from the server that could inform us about what is wrong?

A modem trace could let us inspect the IP traffic between the modem and the server, which should give a good indication about what the problem is.

RE: NRF9160 Unable to disable certificate validation when connecting to https

Yury Morgunov — Thu, 12 Nov 2020 04:28:56 GMT

Okay, so if this certificate expires, will the connection still work?

There is one more not clear feature:
I disable peer verification and download the CA certificate. Then I connect to the domain first.example.com, but I cannot connect to example.com. At the same time, first.example.com and example.com have certificates from letsencrypt. Why is that?

RE: NRF9160 Unable to disable certificate validation when connecting to https

Didrik Rokhaug — Wed, 11 Nov 2020 13:31:30 GMT

Hi,

When using TLS, the modem requires either a root CA certificate or a pre-shared key (PSK) at a minimum.

But, you can still disable peer verification. It will then accept any server, even if the certificates does not match.

Best regards,

Didrik