• State Verified Answer
  • Replies 9 replies
  • Subscribers 74 subscribers
  • Views 2631 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 267831
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

ISSUE (connect error 45) on HTTPS_Client example to amazon CloudFront using Custom SSL Certificate (socket.nouslogic.com) with SNI support

Viet Nguyen

Hi,

I'm getting error on connect to cloud server (socket.nouslogic.com:443) with error code is 45 ( EOPNOTSUPP).

Here are detail:

1. Using https_client example on nRF Connect NCS v1.5.0, modem_fw 1.1.4, network mode is NB-IoT on nRF9160 DK

2. Set TLS_PEER_VERIFY via "verify" value to NONE ( =0) to discard the certificate verifying ( eliminate wrong certificate file)

3. Host is "socket.nouslogic.com", this is custom CNAME on Amazon CloudFront, configured with SNI option.

4. Certificates is root CA from "openssl s_client -showcerts -tls1_2  -connect socket.nouslogic.com:443". (We did try to support 3 certificate chain in 3 different security tags also)

5. In configuration, select mbedtls support( zephyr built-in) to enable the SNI option. ( tried enable all cipher suites as well)

Result:

- other sites work well: google.com, amazon.com or any website without CloudFront configured (tested with vn.yahoo.com, vnexpress.net, mqtt.eclipseprojects.io ( correct certificate))

- our cloudfront host ( socket.nouslogic.com) or "nrfcloud.com" or even direct domain "dsmatvilvjgnu.cloudfront.net": connect fail with error 45.

Question:

- Does NCS v1.5.0 support TLS/SSL connection to Amazon CloudFront yet?

- If above question is YES,  so please help to solve the problem.

- If you have any example that successfully connect to our site ( socket.nouslogic.com:443) or any CloudFront site , please share the configuration file or source code.

Thanks in advance.

Best Regards.

Viet Nguyen

Parents
  • 0

    Hi,

    To me, this sounds like an SNI problem.

     

    5. In configuration, select mbedtls support( zephyr built-in) to enable the SNI option. ( tried enable all cipher suites as well)

     Could you share the code where you enable SNI?

    On the nRF9160, the TLS stack normally recides in the modem, and is not affected by Kconfig options. So this probably had no effect, unless you also configured Zephyr to use the native TLS stack, and not the offloaded (to the modem) one.

    You can see how SNI is enabled here: https://github.com/nrfconnect/sdk-nrf/blob/master/subsys/net/lib/download_client/src/download_client.c#L133

    If that doesn't help, a modem trace will help us identify what is wrong. Note that in NCS v1.5.0, you must set CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y instead of CONFIG_BSD_LIBRARY_TRACE_ENABLED=y.

    Best regards,

    Didrik

  • 0 in reply to Didrik Rokhaug

    Hi,

    Yes, I also think about SNI problem, but don't know how to fix.

    Here are my modified the func "tls_setup" of https_client example for setting hostname.

    /* Setup TLS options on a given socket */
int tls_setup(int fd, char*hostname)
{
	int err;
	int verify;

	/* Security tag that we have provisioned the certificate with */
	const sec_tag_t tls_sec_tag[] = {
		TLS_SEC_TAG,
	};

	/* Set up TLS peer verification */
	enum {
		NONE = 0,
		OPTIONAL = 1,
		REQUIRED = 2,
	};

	verify = NONE;

	err = setsockopt(fd, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify));
	if (err) {
		printk("Failed to setup peer verification, err %d\n", errno);
		return err;
	}

	/* Associate the socket with the security tag
	 * we have provisioned the certificate with.
	 */
	err = setsockopt(fd, SOL_TLS, TLS_SEC_TAG_LIST, tls_sec_tag,
			 sizeof(tls_sec_tag));
	if (err) {
		printk("Failed to setup TLS sec tag, err %d\n", errno);
		return err;
	}

        err = setsockopt(fd, SOL_TLS,TLS_HOSTNAME, hostname,strlen(hostname));
        if (err) {
                printk("Failed to setup TLS hostname, err %d\n", errno);
		return err;
        }

	return 0;
}

    And the configuration:

    We will try to capture the Modem Trace soon, but in the meantime, do you know how to enable log/debug for TLS connection?

    Regards

    V. Nguyen

  • 0 in reply to Viet Nguyen
    Viet Nguyen said:
    Here are my modified the func "tls_setup" of https_client example for setting hostname.

     That looks correct. The mosem trace will show us if SNI is actually used.

     

    Viet Nguyen said:
    And the configuration:

    I assume you aren't running the TLS stack on the application core?

    In that case, those options doesn't actually have any effect.

     

    Viet Nguyen said:
    We will try to capture the Modem Trace soon, but in the meantime, do you know how to enable log/debug for TLS connection?

    As the TLS stack is running on the modem, the way to get log from the TLS stack is to take a modem trace.

  • 0 in reply to Viet Nguyen
    Didrik Rokhaug said:
    If that doesn't help, a modem trace will help us identify what is wrong. Note that in NCS v1.5.0, you must set CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y instead of CONFIG_BSD_LIBRARY_TRACE_ENABLED=y.

    I got error when building the https_client example:

    2> D:/Work/Nordic/ncs/v1.5.0/nrf/lib/nrf_modem_lib/nrf_modem_lib.c:52:11: error: 'PM_NRF_MODEM_LIB_TRACE_ADDRESS' undeclared here (not in a function); did you mean 'PM_NRF_MODEM_LIB_SRAM_ADDRESS'?
Build failed

    I searched and didn't find any information about this define, pls help.

  • 0 in reply to Viet Nguyen

    The error comes from CONFIG_NRF_MODEM_LIB_SHMEM_TRACE_SIZE not being set (it should be 16384).

    It should be set automatically when you set CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y, but isn't when you use the configuration tool in SES, menuconfig or guiconfig due to a quirk in how Kconfig works.

    We have a PR open to fix this here: https://github.com/nrfconnect/sdk-nrf/pull/4296

    So, to fix the error, you must either set CONFIG_NRF_MODEM_LIB_SHMEM_TRACE_SIZE manually, or you can add CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y to the prj.conf file (and re-open the project or use 'Project -> Run CMake...').

Reply Children
  • 0 in reply to Didrik Rokhaug

    Thanks, It works.

    And attached file are modem trace and LTE link monitor, pls check.

    trace-2021-04-13T12-04-13.026Z.bin

    Fullscreen LTE link monitor.txt Download 
    2021-04-13T12:04:14.952Z DEBUG modem << *** Booting Zephyr OS build v2.4.99-ncs1  ***
2021-04-13T12:04:14.985Z DEBUG modem << Flash regionsDomainPermissions
2021-04-13T12:04:14.990Z DEBUG modem << 00 00 0x00000 0x08000 Securerwxl
2021-04-13T12:04:14.991Z DEBUG modem << 01 31 0x08000 0x100000 Non-Securerwxl
2021-04-13T12:04:14.992Z DEBUG modem << Non-secure callable region 0 placed in flash region 0 with size 32.
2021-04-13T12:04:15.139Z DEBUG modem << SRAM regionDomainPermissions
2021-04-13T12:04:15.156Z DEBUG modem << 00 07 0x00000 0x10000 Securerwxl
2021-04-13T12:04:15.159Z DEBUG modem << 08 31 0x10000 0x40000 Non-Securerwxl
2021-04-13T12:04:15.160Z DEBUG modem << PeripheralDomainStatus
2021-04-13T12:04:15.162Z DEBUG modem << 00 NRF_P0               Non-SecureOK
2021-04-13T12:04:15.163Z DEBUG modem << 01 NRF_CLOCK            Non-SecureOK
2021-04-13T12:04:15.165Z DEBUG modem << 02 NRF_RTC0             Non-SecureOK
2021-04-13T12:04:15.172Z DEBUG modem << 03 NRF_RTC1             Non-SecureOK
2021-04-13T12:04:15.175Z DEBUG modem << 04 NRF_NVMC             Non-SecureOK
2021-04-13T12:04:15.176Z DEBUG modem << 05 NRF_UARTE1           Non-SecureOK
2021-04-13T12:04:15.177Z DEBUG modem << 06 NRF_UARTE2           SecureSKIP
2021-04-13T12:04:15.180Z DEBUG modem << 07 NRF_TWIM2            Non-SecureOK
2021-04-13T12:04:15.182Z DEBUG modem << 08 NRF_SPIM3            Non-SecureOK
2021-04-13T12:04:15.183Z DEBUG modem << 09 NRF_TIMER0           Non-SecureOK
2021-04-13T12:04:15.191Z DEBUG modem << 10 NRF_TIMER1           Non-SecureOK
2021-04-13T12:04:15.193Z DEBUG modem << 11 NRF_TIMER2           Non-SecureOK
2021-04-13T12:04:15.194Z DEBUG modem << 12 NRF_SAADC            Non-SecureOK
2021-04-13T12:04:15.196Z DEBUG modem << 13 NRF_PWM0             Non-SecureOK
2021-04-13T12:04:15.204Z DEBUG modem << 14 NRF_PWM1             Non-SecureOK
2021-04-13T12:04:15.206Z DEBUG modem << 15 NRF_PWM2             Non-SecureOK
2021-04-13T12:04:15.208Z DEBUG modem << 16 NRF_PWM3             Non-SecureOK
2021-04-13T12:04:15.210Z DEBUG modem << 17 NRF_WDT              Non-SecureOK
2021-04-13T12:04:15.211Z DEBUG modem << 18 NRF_IPC              Non-SecureOK
2021-04-13T12:04:15.213Z DEBUG modem << 19 NRF_VMC              Non-SecureOK
2021-04-13T12:04:15.222Z DEBUG modem << 20 NRF_FPU              Non-SecureOK
2021-04-13T12:04:15.224Z DEBUG modem << 21 NRF_EGU1             Non-SecureOK
2021-04-13T12:04:15.226Z DEBUG modem << 22 NRF_EGU2             Non-SecureOK
2021-04-13T12:04:15.229Z DEBUG modem << 23 NRF_DPPIC            Non-SecureOK
2021-04-13T12:04:15.236Z DEBUG modem << 24 NRF_REGULATORS       Non-SecureOK
2021-04-13T12:04:15.240Z DEBUG modem << 25 NRF_GPIOTE1          Non-SecureOK
2021-04-13T12:04:15.241Z DEBUG modem << SPM: NS image at 0xc000
2021-04-13T12:04:15.242Z DEBUG modem << SPM: NS MSP at 0x2001d9d8
2021-04-13T12:04:15.244Z DEBUG modem << SPM: NS reset vector at 0xed79
2021-04-13T12:04:15.246Z DEBUG modem << SPM: prepare to jump to Non-Secure image.
2021-04-13T12:04:15.255Z DEBUG modem << *** Booting Zephyr OS build v2.4.99-ncs1  ***
2021-04-13T12:04:15.258Z DEBUG modem << HTTPS client sample started
2021-04-13T12:04:15.541Z DEBUG modem << Provisioning certificate
2021-04-13T12:04:41.296Z DEBUG modem << Waiting for network.. OK
2021-04-13T12:04:42.228Z DEBUG modem << Connecting to socket.nouslogic.com
2021-04-13T12:04:42.977Z DEBUG modem << connect() failed, err: 45

    Regards

    V Nguyen

  • +1 in reply to Viet Nguyen

    The trace shows that you are not using SNI.

    SNI support was added to the modem FW in version 1.2.1, and it doesn't seem like it was backported to the 1.1.x branch.

    Is it possible for you to update to the 1.2.x branch?

  • 0 in reply to Didrik Rokhaug

    Great, You make my day!

    After updating modem fw to v1.2.3 ( latest). It's now able to connect to our cloud "socket.nouslogic.com" successfully.

    ( I thought mfw1.1.3/1.1.4 was backported  from 1.2.x , as Michael Sly mentioned last August)

    BTW, Does Nordic have plan to backported all from mfw 1.2.x to 1.1.x, b/c we have many devices at the customer which are running mfw1.1.2/1.1.3 , and they cannot be OTA update to 1.2.x due to limitation of modem updating.

    Again, thanks alot.

    V. Nguyen

  • 0 in reply to Viet Nguyen
    Viet Nguyen said:

    Great, You make my day!

    After updating modem fw to v1.2.3 ( latest). It's now able to connect to our cloud "socket.nouslogic.com" successfully.

     That's great to hear! Happy to help.

     

    Viet Nguyen said:
    BTW, Does Nordic have plan to backported all from mfw 1.2.x to 1.1.x, b/c we have many devices at the customer which are running mfw1.1.2/1.1.3 , and they cannot be OTA update to 1.2.x due to limitation of modem updating.

     Roadmap related questions should in general be directed to your RSM. But no, it is not possible to backport all the features from the 1.2.x branch to the 1.1.x branch.

Related
Terms of service