This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

changing certificate in https_client sample

I am trying the https_client sample and I can get it to work unchanged. 

But I would like to connect to a different site than www.example.com. 

As far as I can understand what I need to do is:

change "example.com" in the HTTP_HEAD to another site (i've tried "vecka.nu")

#define HTTP_HEAD                                                              \
	"HEAD / HTTP/1.1\r\n"                                                  \
	"Host: vecka.nu:443\r\n"                                            \
	"Connection: close\r\n\r\n"

change "example.com" in the gettaddrinfo() call to another site (i've tried "vecka.nu"

	err = getaddrinfo("vecka.nu", NULL, &hints, &res);
	if (err) {
		printk("getaddrinfo() failed, err %d\n", errno);
		return;
	}

change the certificate used to one that works with the new site:

static const char cert[] = {
	//#include "../cert/DigiCertGlobalRootCA.pem"
	#include "../cert/vecka.cer"
};

I got the new certificate by visiting www.vecka.nu in chrome,

  • clicking the lock to the left of the address bar,
  • selecting certificate
  • going to the Details tab
  • clicking the Copy to File... button
  • selecting Base-64 encoded x.509 (.CER)
  • saving the file in the cert folder of the https_client sample
  • adding " to the beginning of each line and \n" to the end of each line in the new .cer file

"-----BEGIN CERTIFICATE-----\n"
"MIIFIzCCBAugAwIBAgISBDyCXR6TuWHUHlrrOBfKHRrQMA0GCSqGSIb3DQEBCwUA\n"
"MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n"

...
...

"DqGgSg+/716RXuzlHZqyb8pqU0cTTq2ojWgLx1FdDyfVcXGU6jOSeQ4WG2d8KJQ1\n"
"f0FUcInSAoWkuB8oWMFepQQxAxDdfj0=\n"
"-----END CERTIFICATE-----\n"

When I do this I get this output:

*** Booting Zephyr OS build v2.6.0-rc1-ncs1  ***
HTTPS client sample started
Provisioning certificate
Waiting for network.. OK
Connecting to example.com
connect() failed, err: 111

I also followed the same procedure to download the certificate from www.example.com in chrome, and noticed that the certificate did not match the certificate that came with the sample, so I suspect that I am not using the correct certificate.

How should I obtain the certificate for different websites?

Parents
  • Hello,

     

    The whole certificate chain can be fetched using openssl (also from your browser as you did):

    openssl s_client -showcerts -connect vecka.nu:443 -tls1_2

     

    It seems that you have found a bug in this specific sample, when we added SNI support in our modem fw, we forgot to specify the TLS_HOSTNAME (SNI requirement).

    Can you try to add this in tls_setup() function and see if it starts working?

    	err = setsockopt(fd, SOL_TLS, TLS_HOSTNAME, "vecka.nu", sizeof("vecka.nu"));
    	if (err) {
    		printk("Failed to setup TLS sec tag, err %d\n", errno);
    		return err;
    	}

     

    Kind regards,

    Håkon

  • Oh no, just wasted hours in finding a bug in my source (based on https_client); for me, the error with my server (nextcloud , others IIS based) setup was ECONNRESET 104   (note, some other servers worked so far, I guess 50% affected);

    ** BUT **

    There is a corresponding  issue with the download sample  ( path  \nrf\samples\nrf9160\download  )!!! there is a flag now required:

    static struct download_client_cfg config = {
    #if CONFIG_SAMPLE_SECURE_SOCKET
    .sec_tag = SEC_TAG,
    .set_tls_hostname = true,

    This fixed the connection issue. unfortunately for me, the next issue is with huge headers in the http response, so the waste of time continues.

Reply
  • Oh no, just wasted hours in finding a bug in my source (based on https_client); for me, the error with my server (nextcloud , others IIS based) setup was ECONNRESET 104   (note, some other servers worked so far, I guess 50% affected);

    ** BUT **

    There is a corresponding  issue with the download sample  ( path  \nrf\samples\nrf9160\download  )!!! there is a flag now required:

    static struct download_client_cfg config = {
    #if CONFIG_SAMPLE_SECURE_SOCKET
    .sec_tag = SEC_TAG,
    .set_tls_hostname = true,

    This fixed the connection issue. unfortunately for me, the next issue is with huge headers in the http response, so the waste of time continues.

Children
Related