• State Verified Answer
  • Replies 9 replies
  • Subscribers 74 subscribers
  • Views 2631 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 267831
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

ISSUE (connect error 45) on HTTPS_Client example to amazon CloudFront using Custom SSL Certificate (socket.nouslogic.com) with SNI support

Viet Nguyen

Hi,

I'm getting error on connect to cloud server (socket.nouslogic.com:443) with error code is 45 ( EOPNOTSUPP).

Here are detail:

1. Using https_client example on nRF Connect NCS v1.5.0, modem_fw 1.1.4, network mode is NB-IoT on nRF9160 DK

2. Set TLS_PEER_VERIFY via "verify" value to NONE ( =0) to discard the certificate verifying ( eliminate wrong certificate file)

3. Host is "socket.nouslogic.com", this is custom CNAME on Amazon CloudFront, configured with SNI option.

4. Certificates is root CA from "openssl s_client -showcerts -tls1_2  -connect socket.nouslogic.com:443". (We did try to support 3 certificate chain in 3 different security tags also)

5. In configuration, select mbedtls support( zephyr built-in) to enable the SNI option. ( tried enable all cipher suites as well)

Result:

- other sites work well: google.com, amazon.com or any website without CloudFront configured (tested with vn.yahoo.com, vnexpress.net, mqtt.eclipseprojects.io ( correct certificate))

- our cloudfront host ( socket.nouslogic.com) or "nrfcloud.com" or even direct domain "dsmatvilvjgnu.cloudfront.net": connect fail with error 45.

Question:

- Does NCS v1.5.0 support TLS/SSL connection to Amazon CloudFront yet?

- If above question is YES,  so please help to solve the problem.

- If you have any example that successfully connect to our site ( socket.nouslogic.com:443) or any CloudFront site , please share the configuration file or source code.

Thanks in advance.

Best Regards.

Viet Nguyen

Parents
  • 0

    Hi,

    To me, this sounds like an SNI problem.

     

    5. In configuration, select mbedtls support( zephyr built-in) to enable the SNI option. ( tried enable all cipher suites as well)

     Could you share the code where you enable SNI?

    On the nRF9160, the TLS stack normally recides in the modem, and is not affected by Kconfig options. So this probably had no effect, unless you also configured Zephyr to use the native TLS stack, and not the offloaded (to the modem) one.

    You can see how SNI is enabled here: https://github.com/nrfconnect/sdk-nrf/blob/master/subsys/net/lib/download_client/src/download_client.c#L133

    If that doesn't help, a modem trace will help us identify what is wrong. Note that in NCS v1.5.0, you must set CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y instead of CONFIG_BSD_LIBRARY_TRACE_ENABLED=y.

    Best regards,

    Didrik

  • 0 in reply to Didrik Rokhaug

    Hi,

    Yes, I also think about SNI problem, but don't know how to fix.

    Here are my modified the func "tls_setup" of https_client example for setting hostname.

    /* Setup TLS options on a given socket */
int tls_setup(int fd, char*hostname)
{
	int err;
	int verify;

	/* Security tag that we have provisioned the certificate with */
	const sec_tag_t tls_sec_tag[] = {
		TLS_SEC_TAG,
	};

	/* Set up TLS peer verification */
	enum {
		NONE = 0,
		OPTIONAL = 1,
		REQUIRED = 2,
	};

	verify = NONE;

	err = setsockopt(fd, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify));
	if (err) {
		printk("Failed to setup peer verification, err %d\n", errno);
		return err;
	}

	/* Associate the socket with the security tag
	 * we have provisioned the certificate with.
	 */
	err = setsockopt(fd, SOL_TLS, TLS_SEC_TAG_LIST, tls_sec_tag,
			 sizeof(tls_sec_tag));
	if (err) {
		printk("Failed to setup TLS sec tag, err %d\n", errno);
		return err;
	}

        err = setsockopt(fd, SOL_TLS,TLS_HOSTNAME, hostname,strlen(hostname));
        if (err) {
                printk("Failed to setup TLS hostname, err %d\n", errno);
		return err;
        }

	return 0;
}

    And the configuration:

    We will try to capture the Modem Trace soon, but in the meantime, do you know how to enable log/debug for TLS connection?

    Regards

    V. Nguyen

  • 0 in reply to Viet Nguyen
    Viet Nguyen said:
    Here are my modified the func "tls_setup" of https_client example for setting hostname.

     That looks correct. The mosem trace will show us if SNI is actually used.

     

    Viet Nguyen said:
    And the configuration:

    I assume you aren't running the TLS stack on the application core?

    In that case, those options doesn't actually have any effect.

     

    Viet Nguyen said:
    We will try to capture the Modem Trace soon, but in the meantime, do you know how to enable log/debug for TLS connection?

    As the TLS stack is running on the modem, the way to get log from the TLS stack is to take a modem trace.

Reply
  • 0 in reply to Viet Nguyen
    Viet Nguyen said:
    Here are my modified the func "tls_setup" of https_client example for setting hostname.

     That looks correct. The mosem trace will show us if SNI is actually used.

     

    Viet Nguyen said:
    And the configuration:

    I assume you aren't running the TLS stack on the application core?

    In that case, those options doesn't actually have any effect.

     

    Viet Nguyen said:
    We will try to capture the Modem Trace soon, but in the meantime, do you know how to enable log/debug for TLS connection?

    As the TLS stack is running on the modem, the way to get log from the TLS stack is to take a modem trace.

Children
No Data
Related
Terms of service