• State Verified Answer
  • Replies 9 replies
  • Subscribers 74 subscribers
  • Views 2800 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 267831
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

ISSUE (connect error 45) on HTTPS_Client example to amazon CloudFront using Custom SSL Certificate (socket.nouslogic.com) with SNI support

Viet Nguyen

Hi,

I'm getting error on connect to cloud server (socket.nouslogic.com:443) with error code is 45 ( EOPNOTSUPP).

Here are detail:

1. Using https_client example on nRF Connect NCS v1.5.0, modem_fw 1.1.4, network mode is NB-IoT on nRF9160 DK

2. Set TLS_PEER_VERIFY via "verify" value to NONE ( =0) to discard the certificate verifying ( eliminate wrong certificate file)

3. Host is "socket.nouslogic.com", this is custom CNAME on Amazon CloudFront, configured with SNI option.

4. Certificates is root CA from "openssl s_client -showcerts -tls1_2  -connect socket.nouslogic.com:443". (We did try to support 3 certificate chain in 3 different security tags also)

5. In configuration, select mbedtls support( zephyr built-in) to enable the SNI option. ( tried enable all cipher suites as well)

Result:

- other sites work well: google.com, amazon.com or any website without CloudFront configured (tested with vn.yahoo.com, vnexpress.net, mqtt.eclipseprojects.io ( correct certificate))

- our cloudfront host ( socket.nouslogic.com) or "nrfcloud.com" or even direct domain "dsmatvilvjgnu.cloudfront.net": connect fail with error 45.

Question:

- Does NCS v1.5.0 support TLS/SSL connection to Amazon CloudFront yet?

- If above question is YES,  so please help to solve the problem.

- If you have any example that successfully connect to our site ( socket.nouslogic.com:443) or any CloudFront site , please share the configuration file or source code.

Thanks in advance.

Best Regards.

Viet Nguyen

Parents Reply Children
  • 0 in reply to Didrik Rokhaug

    Hi,

    Yes, I also think about SNI problem, but don't know how to fix.

    Here are my modified the func "tls_setup" of https_client example for setting hostname.

    /* Setup TLS options on a given socket */
int tls_setup(int fd, char*hostname)
{
	int err;
	int verify;

	/* Security tag that we have provisioned the certificate with */
	const sec_tag_t tls_sec_tag[] = {
		TLS_SEC_TAG,
	};

	/* Set up TLS peer verification */
	enum {
		NONE = 0,
		OPTIONAL = 1,
		REQUIRED = 2,
	};

	verify = NONE;

	err = setsockopt(fd, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify));
	if (err) {
		printk("Failed to setup peer verification, err %d\n", errno);
		return err;
	}

	/* Associate the socket with the security tag
	 * we have provisioned the certificate with.
	 */
	err = setsockopt(fd, SOL_TLS, TLS_SEC_TAG_LIST, tls_sec_tag,
			 sizeof(tls_sec_tag));
	if (err) {
		printk("Failed to setup TLS sec tag, err %d\n", errno);
		return err;
	}

        err = setsockopt(fd, SOL_TLS,TLS_HOSTNAME, hostname,strlen(hostname));
        if (err) {
                printk("Failed to setup TLS hostname, err %d\n", errno);
		return err;
        }

	return 0;
}

    And the configuration:

    We will try to capture the Modem Trace soon, but in the meantime, do you know how to enable log/debug for TLS connection?

    Regards

    V. Nguyen

  • 0 in reply to Viet Nguyen
    Viet Nguyen said:
    Here are my modified the func "tls_setup" of https_client example for setting hostname.

     That looks correct. The mosem trace will show us if SNI is actually used.

     

    Viet Nguyen said:
    And the configuration:

    I assume you aren't running the TLS stack on the application core?

    In that case, those options doesn't actually have any effect.

     

    Viet Nguyen said:
    We will try to capture the Modem Trace soon, but in the meantime, do you know how to enable log/debug for TLS connection?

    As the TLS stack is running on the modem, the way to get log from the TLS stack is to take a modem trace.

  • 0 in reply to Viet Nguyen
    Didrik Rokhaug said:
    If that doesn't help, a modem trace will help us identify what is wrong. Note that in NCS v1.5.0, you must set CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y instead of CONFIG_BSD_LIBRARY_TRACE_ENABLED=y.

    I got error when building the https_client example:

    2> D:/Work/Nordic/ncs/v1.5.0/nrf/lib/nrf_modem_lib/nrf_modem_lib.c:52:11: error: 'PM_NRF_MODEM_LIB_TRACE_ADDRESS' undeclared here (not in a function); did you mean 'PM_NRF_MODEM_LIB_SRAM_ADDRESS'?
Build failed

    I searched and didn't find any information about this define, pls help.

  • 0 in reply to Viet Nguyen

    The error comes from CONFIG_NRF_MODEM_LIB_SHMEM_TRACE_SIZE not being set (it should be 16384).

    It should be set automatically when you set CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y, but isn't when you use the configuration tool in SES, menuconfig or guiconfig due to a quirk in how Kconfig works.

    We have a PR open to fix this here: https://github.com/nrfconnect/sdk-nrf/pull/4296

    So, to fix the error, you must either set CONFIG_NRF_MODEM_LIB_SHMEM_TRACE_SIZE manually, or you can add CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y to the prj.conf file (and re-open the project or use 'Project -> Run CMake...').

  • 0 in reply to Didrik Rokhaug

    Thanks, It works.

    And attached file are modem trace and LTE link monitor, pls check.

    trace-2021-04-13T12-04-13.026Z.bin

    Fullscreen LTE link monitor.txt Download 
    2021-04-13T12:04:14.952Z DEBUG modem << *** Booting Zephyr OS build v2.4.99-ncs1  ***
2021-04-13T12:04:14.985Z DEBUG modem << Flash regionsDomainPermissions
2021-04-13T12:04:14.990Z DEBUG modem << 00 00 0x00000 0x08000 Securerwxl
2021-04-13T12:04:14.991Z DEBUG modem << 01 31 0x08000 0x100000 Non-Securerwxl
2021-04-13T12:04:14.992Z DEBUG modem << Non-secure callable region 0 placed in flash region 0 with size 32.
2021-04-13T12:04:15.139Z DEBUG modem << SRAM regionDomainPermissions
2021-04-13T12:04:15.156Z DEBUG modem << 00 07 0x00000 0x10000 Securerwxl
2021-04-13T12:04:15.159Z DEBUG modem << 08 31 0x10000 0x40000 Non-Securerwxl
2021-04-13T12:04:15.160Z DEBUG modem << PeripheralDomainStatus
2021-04-13T12:04:15.162Z DEBUG modem << 00 NRF_P0               Non-SecureOK
2021-04-13T12:04:15.163Z DEBUG modem << 01 NRF_CLOCK            Non-SecureOK
2021-04-13T12:04:15.165Z DEBUG modem << 02 NRF_RTC0             Non-SecureOK
2021-04-13T12:04:15.172Z DEBUG modem << 03 NRF_RTC1             Non-SecureOK
2021-04-13T12:04:15.175Z DEBUG modem << 04 NRF_NVMC             Non-SecureOK
2021-04-13T12:04:15.176Z DEBUG modem << 05 NRF_UARTE1           Non-SecureOK
2021-04-13T12:04:15.177Z DEBUG modem << 06 NRF_UARTE2           SecureSKIP
2021-04-13T12:04:15.180Z DEBUG modem << 07 NRF_TWIM2            Non-SecureOK
2021-04-13T12:04:15.182Z DEBUG modem << 08 NRF_SPIM3            Non-SecureOK
2021-04-13T12:04:15.183Z DEBUG modem << 09 NRF_TIMER0           Non-SecureOK
2021-04-13T12:04:15.191Z DEBUG modem << 10 NRF_TIMER1           Non-SecureOK
2021-04-13T12:04:15.193Z DEBUG modem << 11 NRF_TIMER2           Non-SecureOK
2021-04-13T12:04:15.194Z DEBUG modem << 12 NRF_SAADC            Non-SecureOK
2021-04-13T12:04:15.196Z DEBUG modem << 13 NRF_PWM0             Non-SecureOK
2021-04-13T12:04:15.204Z DEBUG modem << 14 NRF_PWM1             Non-SecureOK
2021-04-13T12:04:15.206Z DEBUG modem << 15 NRF_PWM2             Non-SecureOK
2021-04-13T12:04:15.208Z DEBUG modem << 16 NRF_PWM3             Non-SecureOK
2021-04-13T12:04:15.210Z DEBUG modem << 17 NRF_WDT              Non-SecureOK
2021-04-13T12:04:15.211Z DEBUG modem << 18 NRF_IPC              Non-SecureOK
2021-04-13T12:04:15.213Z DEBUG modem << 19 NRF_VMC              Non-SecureOK
2021-04-13T12:04:15.222Z DEBUG modem << 20 NRF_FPU              Non-SecureOK
2021-04-13T12:04:15.224Z DEBUG modem << 21 NRF_EGU1             Non-SecureOK
2021-04-13T12:04:15.226Z DEBUG modem << 22 NRF_EGU2             Non-SecureOK
2021-04-13T12:04:15.229Z DEBUG modem << 23 NRF_DPPIC            Non-SecureOK
2021-04-13T12:04:15.236Z DEBUG modem << 24 NRF_REGULATORS       Non-SecureOK
2021-04-13T12:04:15.240Z DEBUG modem << 25 NRF_GPIOTE1          Non-SecureOK
2021-04-13T12:04:15.241Z DEBUG modem << SPM: NS image at 0xc000
2021-04-13T12:04:15.242Z DEBUG modem << SPM: NS MSP at 0x2001d9d8
2021-04-13T12:04:15.244Z DEBUG modem << SPM: NS reset vector at 0xed79
2021-04-13T12:04:15.246Z DEBUG modem << SPM: prepare to jump to Non-Secure image.
2021-04-13T12:04:15.255Z DEBUG modem << *** Booting Zephyr OS build v2.4.99-ncs1  ***
2021-04-13T12:04:15.258Z DEBUG modem << HTTPS client sample started
2021-04-13T12:04:15.541Z DEBUG modem << Provisioning certificate
2021-04-13T12:04:41.296Z DEBUG modem << Waiting for network.. OK
2021-04-13T12:04:42.228Z DEBUG modem << Connecting to socket.nouslogic.com
2021-04-13T12:04:42.977Z DEBUG modem << connect() failed, err: 45

    Regards

    V Nguyen

Related
Terms of service