HTTPS Client
The HTTPS Client sample demonstrates a minimal implementation of HTTP communication. It shows how to set up a TLS session towards an HTTPS server and how to send an HTTP request.
Cellular connectivity is supported on the nRF91 Series SiPs, while Wi-Fi® connectivity is supported on the nRF52 or nRF53 Series SoCs hosting the nRF70 Series Wi-Fi companion ICs.
The sample uses the connection manager that provides a common connectivity API for LTE and Wi-Fi stacks.
Requirements
The sample supports the following development kits:
Hardware platforms |
PCA |
Board name |
Board target |
---|---|---|---|
PCA10153 |
|
||
PCA10090 |
|
||
PCA10171 |
|
||
PCA10143 |
|
||
Native Simulator |
native_sim |
|
When built for a board target with the */ns
variant, the sample is configured to compile and run as a non-secure application with Cortex-M Security Extensions enabled.
Therefore, it automatically includes Trusted Firmware-M that prepares the required peripherals and secure services to be available for the application.
Overview
The sample first initializes the Modem library and AT communications. Next, it provisions a root CA certificate to the modem using the Modem key management library. When using an nRF91 Series device, the provisioning must be done before connecting to the LTE network, because the certificates can only be provisioned when the device is not connected.
The sample then establishes a connection to the network, sets up the necessary TLS socket options, and connects to an HTTPS server. It sends an HTTP HEAD request and prints the response code in the terminal.
Obtaining a certificate
The sample connects to www.example.com
, which requires an X.509 certificate.
This certificate is provided in the samples/net/https_client/cert
folder.
The certificate is automatically converted to a HEX format in the CMakeLists.txt
file.
The generated .inc
file is then included in the code, where it is provisioned to the modem.
To connect to other servers, you might need to provision a different certificate. See Certificates for more information.
Using Mbed TLS and TF-M on nRF91 Series DKs
This sample supports using Mbed TLS and Trusted Firmware-M (TF-M). Instead of offloading the TLS sockets into the modem, you can use the Mbed TLS library from Zephyr. Using the Zephyr Mbed TLS, you can still use the offloaded sockets. Mbed TLS offers more configuration options than using the offloaded TLS handling.
When using TF-M and Mbed TLS with PSA crypto, all the crypto operations are run on the secure side on the device.
Configuration
Configuring Wi-Fi access point credentials
This sample uses the Wi-Fi credentials library to manage Wi-Fi credentials. Before the sample can connect to a Wi-Fi network, you must configure at least one credential set.
Once you have flashed your device with this sample, connect to your device’s UART interface and add credentials using the following command:
wifi_cred add NetworkSSID SecurityMode (OPEN, WPA2-PSK, WPA2-PSK-SHA256, WPA3-SAE) NetworkPassword
Where NetworkSSID is replaced with the SSID of the Wi-Fi access point you want your device to connect to, and NetworkPassword is its password.
If you are not sure which security mode to use, enable the CONFIG_NET_L2_WIFI_SHELL
Kconfig option and use the wifi scan
command to display a list of all accessible networks along with their corresponding security modes.
Then either reboot the device or use the wifi_cred auto_connect
command to manually trigger a connection attempt.
From now on, these credentials will be automatically used when the configured network is reachable.
When building as firmware image for a non-secure board target, the Wi-Fi credentials backend will be set to PSA using TF-M.
See the Wi-Fi: Shell sample document for more details on the wifi_cred
command.
Wi-Fi static credential options
If you want to configure the credentials statically, set the CONFIG_WIFI_CREDENTIALS_STATIC
Kconfig option to y
.
Important
Do not use static credentials in production environments.
Other options for statically configuring your Wi-Fi credentials:
CONFIG_WIFI_CREDENTIALS_STATIC
- This option enables static Wi-Fi configuration.CONFIG_WIFI_CREDENTIALS_STATIC_SSID
- Wi-Fi SSID.CONFIG_WIFI_CREDENTIALS_STATIC_PASSWORD
- Wi-Fi password.CONFIG_WIFI_CREDENTIALS_STATIC_TYPE_OPEN
- Wi-Fi network uses no password.CONFIG_WIFI_CREDENTIALS_STATIC_TYPE_PSK
- Wi-Fi network uses a password and PSK security (default).CONFIG_WIFI_CREDENTIALS_STATIC_TYPE_PSK_SHA256
- Wi-Fi network uses a password and PSK-256 security.CONFIG_WIFI_CREDENTIALS_STATIC_TYPE_SAE
- Wi-Fi network uses a password and SAE security.
Sending traces over UART on an nRF91 Series DK
To send modem traces over UART on an nRF91 Series DK, configuration must be added for the UART device in the devicetree and Kconfig. This is done by adding the modem trace UART snippet when building and programming.
Use the Cellular Monitor app for capturing and analyzing modem traces.
TF-M logging must use the same UART as the application. For more details, see shared TF-M logging.
Building and running
This sample can be found under samples/net/https_client
in the nRF Connect SDK folder structure.
When built as firmware image for a board target with the */ns
variant, the sample has Cortex-M Security Extensions (CMSE) enabled and separates the firmware between Non-Secure Processing Environment (NSPE) and Secure Processing Environment (SPE).
Because of this, it automatically includes the Trusted Firmware-M (TF-M).
To read more about CMSE, see Processing environments.
To build the sample, follow the instructions in Configuring and building an application for your preferred building environment. See also Programming an application for programming steps and Testing and optimization for general information about testing and debugging in the nRF Connect SDK.
Note
When building repository applications in the SDK repositories, building with sysbuild is enabled by default.
If you work with out-of-tree freestanding applications, you need to manually pass the --sysbuild
parameter to every build command or configure west to always use it.
To build the sample with Mbed TLS and TF-M for the nRF91 Series DKs, add the following to your west build command:
-DEXTRA_CONF_FILE=overlay-tfm-nrf91.conf
The default packet data network (PDN) configuration is dual stack, which will use an IPv6 address if available (and IPv4 if not).
On the nRF91 Series DKs, for testing IPv4 only, you might need to configure the packet data network settings, adding the following to your build command:
-DEXTRA_CONF_FILE=overlay-pdn-nrf91-ipv4.conf
Testing
After programming the sample to your development kit, test it by performing the following steps:
Connect the kit to the computer using a USB cable. The kit is assigned a COM port (Windows) or ttyACM device (Linux), which is visible in the Device Manager.
Power on or reset the kit.
Connect to the kit with a terminal emulator (for example, nRF Connect Serial Terminal). See Testing and optimization for the required settings and steps.
Observe that the sample starts, provisions certificates, connects to the network and to example.com, and then sends an HTTP HEAD request.
Observe that the HTTP HEAD request returns
HTTP/1.1 200 OK
.
Sample output
Output for the default configuration (dual stack, IPV4V6) where the carrier does not support IPv6:
HTTPS client sample started
Certificate match
Waiting for network.. PDP context 0 activated
OK
Waiting for IPv6..
IPv6 not available
Looking up example.com
Resolved 93.184.216.34 (AF_INET)
Connecting to example.com:443
Sent 61 bytes
Received 370 bytes
> HTTP/1.1 200 OK
Finished, closing socket.
PDP context 0 deactivated
Output for the default configuration, where the carrier does support IPv6:
HTTPS client sample started
Bringing network interface up
Provisioning certificate
Certificate match
Connecting to the network
Looking up example.com
Resolved 2606:2800:220:1:248:1893:25c8:1946 (AF_INET6)
Connecting to example.com:443
Sent 61 bytes
Received 370 bytes
> HTTP/1.1 200 OK
Finished, closing socket.
PDP context 0 deactivated
Output where you override the default packet data network (PDN) configuration to IPv4 only, using the overlay-pdn-nrf91-ipv4.conf
overlay:
HTTPS client sample started
Bringing network interface up
Provisioning certificate
Looking up example.com
Resolved 93.184.216.34 (AF_INET)
Connecting to example.com:443
Sent 61 bytes
Received 370 bytes
> HTTP/1.1 200 OK
Finished, closing socket.
Dependencies
This sample uses the following nRF Connect SDK libraries:
It uses the following sdk-nrfxlib library:
In addition, it uses the following secure firmware component:
This sample also offers a possibility to use the TF-M module that is at modules/tee/tfm/
in the nRF Connect SDK folder structure.