nRF9160: TLS ciphersuites
The Transport Layer Security (TLS) ciphersuites sample demonstrates a minimal implementation of a client application that attempts to connect to a host by trying different TLS ciphersuites. This sample shows the ciphersuites and lists them as supported or not supported by the host, and provides a summary of the support.
Requirements
The sample supports the following development kit:
Hardware platforms |
PCA |
Board name |
Build target |
---|---|---|---|
PCA10090 |
|
When built for an _ns
build target, the sample is configured to compile and run as a non-secure application.
Therefore, it automatically includes Trusted Firmware-M that prepares the required peripherals and secure services to be available for the application.
Overview
The sample first initializes the Modem library and AT communications. Next, it provisions a root CA certificate to the modem using the Modem key management library. Provisioning must be done before connecting to the LTE network because the certificates can only be provisioned when the device is not connected.
The sample then iterates through a list of TLS ciphersuites, attempting connection to the host with each one of them.
The sample connects successfully to the host (www.example.com
) with the ciphersuites that are supported by the host, while unsupported ciphersuites cause a connection failure, setting errno
to 95
.
Finally, the sample provides a summary of the ciphersuites that are supported and not supported by the host, example.com
.
Obtaining a certificate
The sample connects to www.example.com
, which requires an X.509 certificate.
This certificate is provided in the samples/nrf9160/https_client/cert
folder.
To connect to other servers, you might need to provision a different certificate. See Certificates for more information.
Configuration
See Configuring your application for information about how to permanently or temporarily change the configuration.
Configuration options
Check and configure the following Kconfig options:
- CONFIG_EXTENDED_CIPHERSUITE_LIST
The sample configuration extends the ciphersuite list with extra ciphersuites that are only supported by modem firmware v1.3.x, where x is greater than or equal to 1 and modem firmware v1.2.x, where x is greater than or equal to 7.
Building and running
This sample can be found under samples/nrf9160/ciphersuites
in the nRF Connect SDK folder structure.
When built as a non-secure firmware image for the _ns
build target, the sample automatically includes the Trusted Firmware-M (TF-M).
See Building and programming an application for information about how to build and program the application and Testing and debugging an application for general information about testing and debugging in the nRF Connect SDK.
Testing
After programming the sample to your development kit, complete the following steps to test it:
Connect the kit to the computer using a USB cable. The kit is assigned a COM port (Windows) or ttyACM device (Linux), which is visible in the Device Manager.
Connect to the kit with a terminal emulator (for example, PuTTY). See How to connect with PuTTY for the required settings.
Observe that the sample starts, provisions certificates, and connects to the LTE network.
Observe that the sample iterates through a list of ciphersuites, attempting a connection to
example.com
with each one of them, showing either a successful or an unsuccessful connection.
Sample output
The sample shows the following output:
TLS ciphersuites sample started
certificate match
waiting for network.. OK
trying all ciphersuites to find which ones are supported...
trying ciphersuite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
connecting to example.com... Connected.
trying ciphersuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
connecting to example.com... Connected.
trying ciphersuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
connecting to example.com... Connected.
trying ciphersuite: TLS_PSK_WITH_AES_256_CBC_SHA
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_PSK_WITH_AES_128_CBC_SHA256
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_PSK_WITH_AES_128_CBC_SHA
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_PSK_WITH_AES_128_CCM_8
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_EMPTY_RENEGOTIATIONINFO_SCSV
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
Ciphersuite support summary for host `example.com`:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: No
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: No
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: No
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: No
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: Yes
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: Yes
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: Yes
TLS_PSK_WITH_AES_256_CBC_SHA: No
TLS_PSK_WITH_AES_128_CBC_SHA256: No
TLS_PSK_WITH_AES_128_CBC_SHA: No
TLS_PSK_WITH_AES_128_CCM_8: No
TLS_EMPTY_RENEGOTIATIONINFO_SCSV: No
finished.
Dependencies
This sample uses the following nRF Connect SDK libraries:
It uses the following sdk-nrfxlib library:
In addition, it uses the following secure firmware component: