• State Not Answered
  • Replies 23 replies
  • Subscribers 75 subscribers
  • Views 4266 views
  • Users 0 members are here
Attachments (6) Download All
Nordic Case Info
  • Case ID: 273710
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

HTTPS client connect fails with Error 45 with 1nce sim card in France

Saketaram

Hi,

I used 3HK sim card on NB-IoT in Hong Kong, and I could run GET and POST instructions to any cloud with the right certificate.

Recently, I moved to France, and I switched to 1nce MVNO and now the connection fails with error 45. The certificate hasn't changed.

We also tried to connect to google, using google certificate. That also fails. TLS socket setup with TLS_HOSTNAME option with host google.com didn't help either.

ncs 1.5.1
modem fw 1.2.3


Attached is the build files and the modem trace.

Could you help on this urgent matter, please?

Saketaram

https_client.7z

Parents
  • 0

    Hi!

    I apologize for the delayed response. The person that your case was originally assigned to left for vacation this week, so it has been assigned to me.

    The trace you provided in your ticket is unfortunately empty. Please try to take one again, and make sure that the number indicating the size of the trace in the Trace Collector application is increasing as the application is running.

  • 0 in reply to Heidi

    Hi Heidi,

    Here is the new trace. Let us know your comments and advice.

    trace-2021-08-04T19-22-43.580Z.bin

    Saketaram

  • 0 in reply to Saketaram

    Hi!

    I see from the logs, you're using the certificate in HTTPS Client to connect to google.com. 

    It looks to be a known issue that google.com doesn't work (see here). My colleague was also not able to connect to google.com when testing with this certificate just now.

    Could you please provide a modem trace when trying to connect to example.com, so we can check if it's failing for some other reason?

    Best regards,

    Heidi

  • 0 in reply to Heidi

    Works fine with example.com and it's related certificate. 

    Log:

    HTTPS client sample started
    Provisioning certificate
    Modem certificate size :1338
    Modem certificate :
    -----BEGIN CERTIFICATE-----
    MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
    QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
    MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
    b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
    9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
    CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
    nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
    43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
    T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
    gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
    BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
    TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
    DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
    hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
    06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
    PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
    YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
    CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
    -----END CERTIFICATE-----

    Waiting for network.. OK
    Connecting to example.com
    Sent 65 bytes
    Received 347 bytes

    > HTTP/1.1 200 OK

    Finished, closing socket.

    What is the fix to connect to our cloud using its certificate ?

  • 0 in reply to Saketaram

    Hi!

    If it's your own cloud service, then you need to use a root CA that it will accept. 

    If you provide the host name and port, I can look into this.

  • 0 in reply to Heidi

    In the log you provided, the TLS handshake is performed, but the connection is closed right after the handshake. The modem log doesn't reveal the exact cause, but an invalid or incorrect certificate may be the reason for failure in this case as well.

Reply Children
  • 0 in reply to Heidi

    Hi Heidi,
    The modem_key_mgmt_cmp() used in the firmware returns 0 even though the certificate associated with the TAG doesn't exist in the modem which prevents the fw logic to write the certificate onto modem and use it.

  • 0 in reply to Saketaram

    Do you mean modem_key_mgmt_exists() like on line 70?

    This function will return 0 if the operation of checking is successful. And then the function parameter exists to see if the credential exists in persistent storage.

    If you meant modem_key_mgmt_cmp(), please provide a code snippet to show how you are calling it. 

  • 0 in reply to Heidi

    Hi Heidi, 

    Here is the code snippet:

    static int modem_cert_provision(void)
{
int err;
bool exists;
uint8_t unused;

err = modem_key_mgmt_exists(TLS_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, &exists, &unused);
if (err)
{
printk("Failed to check for certificates. Error : %d\r\n", err);
return err;
}

if (exists)
{
printk("Certificate ");
/* Let's compare the existing credential */
err = modem_key_mgmt_cmp(TLS_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, sta_cert, sizeof(sta_cert) - 1);
printk("%s\r\n", err ? "mismatch" : "match");
if (!err)
{
return 0;
}
}

/* Provision certificate to the modem */
err = modem_key_mgmt_write(TLS_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, sta_cert, sizeof(sta_cert) - 1);
if (err)
{
printk("Failed to provision certificate. Error : %d\r\n", err);
return err;
}

return 0;
}

  • 0 in reply to Saketaram

    Hi Heidi,

    I wondering

    1/ How do the modem_key_mgmt_exists and modem_key_mgmt_cmp api perform?

    2/ Why does the https_client sample delete and write certificate again?
    What is the point of doing this on every reboot? Root certificate do not change often. That's a waste of resources.

    3/ What does this comment mean? Does this log show a way out of this issue?
    /* For the sake of simplicity we delete what is provisioned
    * with our security tag and reprovision our certificate.
    */

  • 0 in reply to Saketaram

    Hi again, 

    I'm not able to connect to example.com with the certificate located in the application you provided either. However, when using the certificate located in https_client NCS v1.5.1 called "DigiCertGlobalRootCA.pem", I am able to connect, so could you try that?

    To debug the modem_key_mgmt_cmp issue, please add the following code snippet after line 19 (printk mismatch, match) and show me the output. I'm not able to reproduce it, the function fails when the certificate doesn't exist in the modem.

    enum at_cmd_state state = AT_CMD_OK;
char at_response[CONFIG_AT_CMD_RESPONSE_MAX_LEN];
at_cmd_write(MODEM_KEY_MGMT_OP_LS, at_response, len, &state);
printk("Result from %s is %s\n", MODEM_KEY_MGMT_OP_LS, at_response);
if (state != AT_CMD_OK) {
	printk("Error from at_cmd_write: %d\n", state);
}

    1) How do the modem_key_mgmt_exists and modem_key_mgmt_cmp API perform?

    You can take a look at the implementation in modem_key_mgmt.c

    Regarding question 2 and 3, I can ask the developer why they chose to implement it like this. But, yes, if you just make sure to provision the certificate every time it might help the issue. However, try with the correct certificate first.

    Best regards,

    Heidi

Related
Terms of service