Cellular: TLS cipher suites

The Transport Layer Security (TLS) cipher suites sample demonstrates a minimal implementation of a client application that attempts to connect to a host by trying different TLS cipher suites. This sample shows the cipher suites and lists them as supported or not supported by the host, and provides a summary of the support.

Requirements

The sample supports the following development kits:

Hardware platforms

PCA

Board name

Board target

nRF9161 DK

PCA10153

nrf9161dk

nrf9161dk/nrf9161/ns

nRF9160 DK

PCA10090

nrf9160dk

nrf9160dk/nrf9160/ns

nRF9151 DK

PCA10171

nrf9151dk

nrf9151dk/nrf9151/ns

When built for a board target with the */ns variant, the sample is configured to compile and run as a non-secure application with Cortex-M Security Extensions enabled. Therefore, it automatically includes Trusted Firmware-M that prepares the required peripherals and secure services to be available for the application.

Overview

The sample first initializes the Modem library and AT communications. Next, it provisions a root CA certificate to the modem using the Modem key management library. Provisioning must be done before connecting to the LTE network because the certificates can only be provisioned when the device is not connected.

The sample then iterates through a list of TLS cipher suites, attempting connection to the host with each one of them. The sample connects successfully to the host (www.example.com) with the cipher suites that are supported by the host, while unsupported cipher suites cause a connection failure, setting errno to 95.

Finally, the sample provides a summary of the cipher suites that are supported and not supported by the host, example.com.

Obtaining a certificate

The sample connects to www.example.com, which requires an X.509 certificate. This certificate is provided in the samples/cellular/ciphersuites/cert folder. The certificate is automatically converted to a HEX format in the CMakeLists.txt file. The generated .inc file is then included in the code, where it is provisioned to the modem.

To connect to other servers, you might need to provision a different certificate. See Certificates for more information.

Configuration

See Configuring and building an application for information about how to permanently or temporarily change the configuration.

Configuration options

Check and configure the following Kconfig options:

CONFIG_EXTENDED_CIPHERSUITE_LIST

The sample configuration extends the cipher suite list with extra cipher suites that are only supported for the following modem firmware versions:

  • Modem firmware v1.3.x, where x is greater than or equal to 1

  • Modem firmware v1.2.x, where x is greater than or equal to 7

  • Modem firmware v2.0.0

Sending traces over UART on an nRF91 Series DK

To send modem traces over UART on an nRF91 Series DK, configuration must be added for the UART device in the devicetree and Kconfig. This is done by adding the modem trace UART snippet when building and programming.

Use the Cellular Monitor app for capturing and analyzing modem traces.

TF-M logging must use the same UART as the application. For more details, see shared TF-M logging.

Building and running

This sample can be found under samples/cellular/ciphersuites in the nRF Connect SDK folder structure.

When built as firmware image for a board target with the */ns variant, the sample has Cortex-M Security Extensions (CMSE) enabled and separates the firmware between Non-Secure Processing Environment (NSPE) and Secure Processing Environment (SPE). Because of this, it automatically includes the Trusted Firmware-M (TF-M). To read more about CMSE, see Processing environments.

To build the sample, follow the instructions in Configuring and building an application for your preferred building environment. See also Programming an application for programming steps and Testing and optimization for general information about testing and debugging in the nRF Connect SDK.

Note

When building repository applications in the SDK repositories, building with sysbuild is enabled by default. If you work with out-of-tree freestanding applications, you need to manually pass the --sysbuild parameter to every build command or configure west to always use it.

Testing

After programming the sample to your development kit, complete the following steps to test it:

  1. Connect the kit to the computer using a USB cable. The kit is assigned a COM port (Windows) or ttyACM device (Linux), which is visible in the Device Manager.

  2. Connect to the kit with a terminal emulator (for example, nRF Connect Serial Terminal). See Testing and optimization for the required settings and steps.

  3. Observe that the sample starts, provisions certificates, and connects to the LTE network.

  4. Observe that the sample iterates through a list of cipher suites, attempting a connection to example.com with each one of them, showing either a successful or an unsuccessful connection.

Sample output

The sample shows the following output:

TLS ciphersuites sample started
certificate match
waiting for network.. OK
trying all ciphersuites to find out which ones are supported...
trying ciphersuite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
connecting to example.com... Connected.
trying ciphersuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
connecting to example.com... Connected.
trying ciphersuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
connecting to example.com... Connected.
trying ciphersuite: TLS_PSK_WITH_AES_256_CBC_SHA
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_PSK_WITH_AES_128_CBC_SHA256
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_PSK_WITH_AES_128_CBC_SHA
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_PSK_WITH_AES_128_CCM_8
connecting to example.com... connect() failed, err: 95, Operation not supported on socket
trying ciphersuite: TLS_EMPTY_RENEGOTIATIONINFO_SCSV
connecting to example.com... connect() failed, err: 95, Operation not supported on socket

Ciphersuite support summary for host `example.com`:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: No
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: No
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: No
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: No
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: Yes
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: Yes
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: Yes
TLS_PSK_WITH_AES_256_CBC_SHA: No
TLS_PSK_WITH_AES_128_CBC_SHA256: No
TLS_PSK_WITH_AES_128_CBC_SHA: No
TLS_PSK_WITH_AES_128_CCM_8: No
TLS_EMPTY_RENEGOTIATIONINFO_SCSV: No

finished.

Dependencies

This sample uses the following nRF Connect SDK libraries:

It uses the following sdk-nrfxlib library:

In addition, it uses the following secure firmware component: