ISSUE (connect error 45) on HTTPS_Client example to amazon CloudFront using Custom SSL Certificate (socket.nouslogic.com) with SNI support

Hi,

To me, this sounds like an SNI problem.

5. In configuration, select mbedtls support( zephyr built-in) to enable the SNI option. ( tried enable all cipher suites as well)

 Could you share the code where you enable SNI?

On the nRF9160, the TLS stack normally recides in the modem, and is not affected by Kconfig options. So this probably had no effect, unless you also configured Zephyr to use the native TLS stack, and not the offloaded (to the modem) one.

You can see how SNI is enabled here: https://github.com/nrfconnect/sdk-nrf/blob/master/subsys/net/lib/download_client/src/download_client.c#L133

If that doesn't help, a modem trace will help us identify what is wrong. Note that in NCS v1.5.0, you must set CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y instead of CONFIG_BSD_LIBRARY_TRACE_ENABLED=y.

Best regards,

Didrik

Hi,

Yes, I also think about SNI problem, but don't know how to fix.

Here are my modified the func "tls_setup" of https_client example for setting hostname.

/* Setup TLS options on a given socket */
int tls_setup(int fd, char*hostname)
{
	int err;
	int verify;

	/* Security tag that we have provisioned the certificate with */
	const sec_tag_t tls_sec_tag[] = {
		TLS_SEC_TAG,
	};

	/* Set up TLS peer verification */
	enum {
		NONE = 0,
		OPTIONAL = 1,
		REQUIRED = 2,
	};

	verify = NONE;

	err = setsockopt(fd, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify));
	if (err) {
		printk("Failed to setup peer verification, err %d\n", errno);
		return err;
	}

	/* Associate the socket with the security tag
	 * we have provisioned the certificate with.
	 */
	err = setsockopt(fd, SOL_TLS, TLS_SEC_TAG_LIST, tls_sec_tag,
			 sizeof(tls_sec_tag));
	if (err) {
		printk("Failed to setup TLS sec tag, err %d\n", errno);
		return err;
	}

        err = setsockopt(fd, SOL_TLS,TLS_HOSTNAME, hostname,strlen(hostname));
        if (err) {
                printk("Failed to setup TLS hostname, err %d\n", errno);
		return err;
        }

	return 0;
}

And the configuration:

We will try to capture the Modem Trace soon, but in the meantime, do you know how to enable log/debug for TLS connection?

Regards

V. Nguyen

Viet Nguyen said:

Here are my modified the func "tls_setup" of https_client example for setting hostname.

 That looks correct. The mosem trace will show us if SNI is actually used.

Viet Nguyen said:

And the configuration:

I assume you aren't running the TLS stack on the application core?

In that case, those options doesn't actually have any effect.

Viet Nguyen said:

We will try to capture the Modem Trace soon, but in the meantime, do you know how to enable log/debug for TLS connection?

As the TLS stack is running on the modem, the way to get log from the TLS stack is to take a modem trace.

Didrik Rokhaug said:

If that doesn't help, a modem trace will help us identify what is wrong. Note that in NCS v1.5.0, you must set CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y instead of CONFIG_BSD_LIBRARY_TRACE_ENABLED=y.

I got error when building the https_client example:

2> D:/Work/Nordic/ncs/v1.5.0/nrf/lib/nrf_modem_lib/nrf_modem_lib.c:52:11: error: 'PM_NRF_MODEM_LIB_TRACE_ADDRESS' undeclared here (not in a function); did you mean 'PM_NRF_MODEM_LIB_SRAM_ADDRESS'?
Build failed

I searched and didn't find any information about this define, pls help.

The error comes from CONFIG_NRF_MODEM_LIB_SHMEM_TRACE_SIZE not being set (it should be 16384).

It should be set automatically when you set CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y, but isn't when you use the configuration tool in SES, menuconfig or guiconfig due to a quirk in how Kconfig works.

We have a PR open to fix this here: https://github.com/nrfconnect/sdk-nrf/pull/4296

So, to fix the error, you must either set CONFIG_NRF_MODEM_LIB_SHMEM_TRACE_SIZE manually, or you can add CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y to the prj.conf file (and re-open the project or use 'Project -> Run CMake...').