TLS/DTLS configuration
The IP stack in the nRF91 Series modem firmware has TLS and DTLS support.
TLS traffic decryption
Starting from modem firmware v2.0.0, Transport Layer Security (TLS) traffic can be decrypted with Nordic tools if the TLS session is created using certificates stored to security tags ranging between the values specified in NRF_SEC_TAG_TLS_DECRYPT_0
and NRF_SEC_TAG_TLS_DECRYPT_19
.
Important
These security tags must be used only for test and development purposes.
Testing TLS traffic decryption
Before you start testing TLS traffic decryption, make sure that the following prerequisites are satisfied:
The device runs an application that supports TLS. The TLS session is created using certificates stored to tags ranging between the values specified in
NRF_SEC_TAG_TLS_DECRYPT_0
andNRF_SEC_TAG_TLS_DECRYPT_19
.The device has modem traces enabled. For information on modem traces and how to enable them, see the Modem traces documentation.
Modem firmware v2.0.0 or higher is programmed on your device. For information on how to find the modem firmware version, see the Revision Identification +CGMR documentation.
Wireshark is installed on your machine. For information on Wireshark and how to install it, see Wireshark.
Complete the following steps to test TLS traffic decryption:
Connect the kit to the computer using a USB cable.
Open the Cellular Monitor desktop application and connect the device.
Select Autoselect from the Modem trace database drop-down menu, or a modem firmware version that is programmed on the device.
Make sure that Open in Wireshark is selected.
Click Open Serial Terminal and keep the terminal window open (optional).
Click Start to begin the modem trace. The button changes to Stop and is greyed out.
In Wireshark, observe the incoming traffic. Successfully decrypted TLS traffic will be indicated by an additional layer named Decrypted TLS in the packet details pane. Expand this layer to inspect the decrypted content.
Supported cipher suites
See the nRF9160 modem TLS cipher suites or nRF91x1 modem TLS cipher suites summary page, depending on the SiP you are using, for a full list of TLS/DTLS cipher suites supported by the modem.
Each cipher suite is recognized by an official identification number, which is registered at IANA.
You can narrow down the set of cipher suites that is used for a specific TLS/DTLS connection with nrf_setsockopt()
.
For example, see the following code:
/* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
nrf_sec_cipher_t cipher_list[] = { 0xC014 };
err = nrf_setsockopt(fd, NRF_SOL_SECURE, NRF_SO_SEC_CIPHERSUITE_LIST, cipher_list, sizeof(cipher_list));
if (err) {
/* Failed to set up cipher suite list. */
return -1;
}
Note that as in the case of other TLS/DTLS socket options, you must do this configuration before connecting to the server.