• State Verified Answer
  • Replies 4 replies
  • Subscribers 74 subscribers
  • Views 983 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 305113
Options

nRF9160 Failed to connect IPv6 TLS socket (errno=45)

luc_eac

I am trying to setup a secure connection using an IPv6 TLS socket on my nRF9160 device, but it fails with errno=45.

To setup the socket I perform these steps (stripped of logs and such for clarity):

static struct addrinfo hints = 
{
    .ai_family = AF_INET6,
    .ai_socktype = SOCK_STREAM,
};

// get the server address
getaddrinfo("host.name", NULL, &hints, &res);

// add tls credentials
tls_credential_add(CA_CERTIFICATE_TAG, TLS_CREDENTIAL_CA_CERTIFICATE, ca_cert, strlen(ca_cert));

// check that tls credentials are stored
tls_credential_get(CA_CERTIFICATE_TAG, TLS_CREDENTIAL_CA_CERTIFICATE, cert_buf, sizeof(cert_buf));

// configure the port (443)
((struct sockaddr_in *)res->ai_addr)->sin_port = htons(443);

// set tls socket options
sock = socket(AF_INET6, SOCK_STREAM, IPPROTO_TLS_1_2);
setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_opt, sizeof(sizeof(sec_tag_opt)));
verify = TLS_PEER_VERIFY_REQUIRED;
setsockopt(sock, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify));
setsockopt(sock, SOL_TLS, TLS_HOSTNAME, "host.name", strlen("host.name"));

// connect to the server
connect(sock, res->ai_addr, sizeof(struct sockaddr_in6));

I have captured a trace of what happens at the modem. I do see the modem receiving the address of the server that I am trying to reach, some back and forth messaging is going on but a connection is not established. I do not see any TLS related messages either, nor do I see any AT messages indicating that the certificate information is sent to the modem at all.

Other than that I don't really know what to make of these logs. Maybe someone here can be of help.

Parents
  • 0

    Hi,

     

    Q1: Where do you get the errno returned? You don't seem to check any return codes or errno values in your code snippet.

    Q2: What is the CA root that you're using? It should be ISRG Root X1 for the hostname in your wireshark trace.

     

    Kind regards

    Håkon

  • 0 in reply to Håkon Alseth

    Hi Hakon,

    A1: I left out the error checking and logging stuff to make the code snippen less cluttered. The errno 45 is set by the call to connect(). The socket creation and setsockopt functions all return without errors.

    A2: I was actually feeding the modem the certificate that I found for the server itself. I was not aware that I needed the root certificate. I have replaced the certificate with the root certificate you mention (which I found at https://letsencrypt.org/certs/isrgrootx1.pem), but it makes no difference to what happens in the trace and the errno that the connect function sets.

    How do you find which CA root is needed for which host? I'd like to try connecting to a different server. Never mind - I found out that my antivirus replaced the certificate issuer with its own name.

    What I find strange is that there seems to be no TLS messaging at all. At the very least I would expect to see a "client hello" message sent to the host I'm trying to reach. How can I verify that my modem is actually set up to do TLS?

    Best regards,

    Luc

  • +1 in reply to luc_eac

    Hi Luc,

    luc_eac said:
    What I find strange is that there seems to be no TLS messaging at all. At the very least I would expect to see a "client hello" message sent to the host I'm trying to reach. How can I verify that my modem is actually set up to do TLS?

    Verification of the process is done as you're doing now; taking a modem trace and looking at the IP data in wireshark. I cannot verify the content, as you've only shared a picture.

    Could you try with the https_client sample to see how that runs at your end?

     

    Since you're using tls_credentials_add() - does this mean that you're running mbedtls in the application space? Normally you issue certificates like this:

    https://github.com/nrfconnect/sdk-nrf/blob/main/samples/nrf9160/https_client/src/main.c#L43-L88

     

    luc_eac said:
    Never mind - I found out that my antivirus replaced the certificate issuer with its own name.

    This is how you check the CA root of a domain, using openssl:

    https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server

     

    Kind regards,

    Håkon 

Reply Children
Related
Terms of service