This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

changing certificate in https_client sample

I am trying the https_client sample and I can get it to work unchanged. 

But I would like to connect to a different site than www.example.com. 

As far as I can understand what I need to do is:

change "example.com" in the HTTP_HEAD to another site (i've tried "vecka.nu")

#define HTTP_HEAD                                                              \
	"HEAD / HTTP/1.1\r\n"                                                  \
	"Host: vecka.nu:443\r\n"                                            \
	"Connection: close\r\n\r\n"

change "example.com" in the gettaddrinfo() call to another site (i've tried "vecka.nu"

	err = getaddrinfo("vecka.nu", NULL, &hints, &res);
	if (err) {
		printk("getaddrinfo() failed, err %d\n", errno);
		return;
	}

change the certificate used to one that works with the new site:

static const char cert[] = {
	//#include "../cert/DigiCertGlobalRootCA.pem"
	#include "../cert/vecka.cer"
};

I got the new certificate by visiting www.vecka.nu in chrome,

  • clicking the lock to the left of the address bar,
  • selecting certificate
  • going to the Details tab
  • clicking the Copy to File... button
  • selecting Base-64 encoded x.509 (.CER)
  • saving the file in the cert folder of the https_client sample
  • adding " to the beginning of each line and \n" to the end of each line in the new .cer file

"-----BEGIN CERTIFICATE-----\n"
"MIIFIzCCBAugAwIBAgISBDyCXR6TuWHUHlrrOBfKHRrQMA0GCSqGSIb3DQEBCwUA\n"
"MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n"

...
...

"DqGgSg+/716RXuzlHZqyb8pqU0cTTq2ojWgLx1FdDyfVcXGU6jOSeQ4WG2d8KJQ1\n"
"f0FUcInSAoWkuB8oWMFepQQxAxDdfj0=\n"
"-----END CERTIFICATE-----\n"

When I do this I get this output:

*** Booting Zephyr OS build v2.6.0-rc1-ncs1  ***
HTTPS client sample started
Provisioning certificate
Waiting for network.. OK
Connecting to example.com
connect() failed, err: 111

I also followed the same procedure to download the certificate from www.example.com in chrome, and noticed that the certificate did not match the certificate that came with the sample, so I suspect that I am not using the correct certificate.

How should I obtain the certificate for different websites?

Parents
  • Hello,

     

    The whole certificate chain can be fetched using openssl (also from your browser as you did):

    openssl s_client -showcerts -connect vecka.nu:443 -tls1_2

     

    It seems that you have found a bug in this specific sample, when we added SNI support in our modem fw, we forgot to specify the TLS_HOSTNAME (SNI requirement).

    Can you try to add this in tls_setup() function and see if it starts working?

    	err = setsockopt(fd, SOL_TLS, TLS_HOSTNAME, "vecka.nu", sizeof("vecka.nu"));
    	if (err) {
    		printk("Failed to setup TLS sec tag, err %d\n", errno);
    		return err;
    	}

     

    Kind regards,

    Håkon

  • Oh no, just wasted hours in finding a bug in my source (based on https_client); for me, the error with my server (nextcloud , others IIS based) setup was ECONNRESET 104   (note, some other servers worked so far, I guess 50% affected);

    ** BUT **

    There is a corresponding  issue with the download sample  ( path  \nrf\samples\nrf9160\download  )!!! there is a flag now required:

    static struct download_client_cfg config = {
    #if CONFIG_SAMPLE_SECURE_SOCKET
    .sec_tag = SEC_TAG,
    .set_tls_hostname = true,

    This fixed the connection issue. unfortunately for me, the next issue is with huge headers in the http response, so the waste of time continues.

  •  FYI with the huge headers, it seems like

     CONFIG_DOWNLOAD_CLIENT_HTTP_FRAG_SIZE_1024=y

    helped with some of my servers, but not yet with my preferred server (nextcloud,nginx), it just sends too much garbage headers, plus uses alias download URLs, not the real filename (which can only be found in the respons  by a Content-Disposition header). 

Reply Children
No Data
Related