RE: nRF9160 ssl tls https websocket connections

aldras — Fri, 22 Jan 2021 13:00:26 GMT

Hi Didrik,

Thank you very much for the detailed answer, this has given me insight to the questions and given me something to think about.

RE: nRF9160 ssl tls https websocket connections

Didrik Rokhaug — Fri, 22 Jan 2021 12:55:25 GMT

Hi,

[quote user=""]How does the nRF9160 compare, does it have some hardware to accelerate cryptography to some degree?[/quote]

Yes, the nRF9160 has some hardware cryptography modules. Both in the modem and on the application core.

https://infocenter.nordicsemi.com/topic/ps_nrf9160/cryptocell.html

[quote user=""] is it possible to create this root CA store in the nRF9160 to handle the CA verification?[/quote]

The IP, TCP (and UDP), TLS (and DTLS) stacks are normally offloaded to the modem. In that case, the certificates must also be stored in the modem. You do that with the %CMNG AT command.

The certificates are written to a "sec_tag", and when you open a socket, you can instruct the modem to use the certificates stored in a given sec_tag.

[quote user=""]Currently I am working with the "serial lte modem" example and would prefer if there was TLS support in this project, but it appears it is either limited or does not exist presently.[/quote]

TLS is supported both for the HTTP commands, and the TCP commands. In both cases, you enable TLS by adding the sec_tag to the command.

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.4.2/nrf/applications/serial_lte_modem/doc/TCPIP_AT_commands.html#bsd-socket-xsocket

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.4.2/nrf/applications/serial_lte_modem/doc/HTTPC_AT_commands.html#http-client-connection-xhttpccon

If the TLS stack on the modem isn't enough, or you would like to configure the TLS stack differently, the SLM also supports having the TLS stack on the application core when using the TCP commands (it will not use the application core TLS stack when using HTTP or MQTT commands). You can use the application core TLS stack by setting CONFIG_SLM_NATIVE_TLS=y in your prj.conf.

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.4.2/nrf/applications/serial_lte_modem/doc/slm_description.html#native-tls-sockets

[quote user=""]With the SAM51 I would store the root CAs on an SD card. Attaching an SD card to the nRF9160 through SPI I guess would not be impossible, but then the necessary code would have to be written to handle the implementation.[/quote]

Unless you want to keep the certificates away from the SAM51, it will probably be easiest to connect the SD card to the SAM51, and send the certificates over the AT command interface to the nRF9160.

It shouldn't be too hard to modify the SLM to read the certificates from the SD card, but it does sound like more work.

If you want to read the SD card from the nRF9160: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.4.2/zephyr/reference/storage/disk/sdhc.html

Best regards,

Didrik