diff --git a/samples/net/sockets/big_http_download/overlay-tls.conf b/samples/net/sockets/big_http_download/overlay-tls.conf index 28ac8d4bc7d..78d1a7cef13 100644 --- a/samples/net/sockets/big_http_download/overlay-tls.conf +++ b/samples/net/sockets/big_http_download/overlay-tls.conf @@ -5,7 +5,7 @@ CONFIG_NET_PKT_TX_COUNT=10 CONFIG_MBEDTLS=y CONFIG_MBEDTLS_BUILTIN=y CONFIG_MBEDTLS_ENABLE_HEAP=y -CONFIG_MBEDTLS_HEAP_SIZE=60000 +CONFIG_MBEDTLS_HEAP_SIZE=65000 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384 CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y diff --git a/samples/net/sockets/big_http_download/src/DigiCertGlobalRootG2.crt.pem b/samples/net/sockets/big_http_download/src/DigiCertGlobalRootG2.crt.pem new file mode 100644 index 00000000000..51a0085fa1a --- /dev/null +++ b/samples/net/sockets/big_http_download/src/DigiCertGlobalRootG2.crt.pem @@ -0,0 +1,22 @@ +"-----BEGIN CERTIFICATE-----\n" +"MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh\n" +"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n" +"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH\n" +"MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT\n" +"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n" +"b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG\n" +"9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI\n" +"2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx\n" +"1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ\n" +"q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz\n" +"tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ\n" +"vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP\n" +"BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV\n" +"5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY\n" +"1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4\n" +"NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG\n" +"Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91\n" +"8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe\n" +"pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl\n" +"MrY=\n" +"-----END CERTIFICATE-----\n" diff --git a/samples/net/sockets/big_http_download/src/big_http_download.c b/samples/net/sockets/big_http_download/src/big_http_download.c index c28c22b3159..b4e9ccffeda 100644 --- a/samples/net/sockets/big_http_download/src/big_http_download.c +++ b/samples/net/sockets/big_http_download/src/big_http_download.c @@ -274,9 +274,12 @@ bool download(struct addrinfo *ai, bool is_tls, bool *redirect) #if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) if (is_tls) { - sec_tag_t sec_tag_opt[] = { - CA_CERTIFICATE_TAG, + sec_tag_t sec_tag_opt[ARRAY_SIZE(ca_certificates)]; + + for (int i = 0; i < ARRAY_SIZE(ca_certificates); i++) { + sec_tag_opt[i] = CA_CERTIFICATE_TAG + i; }; + CHECK(setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_opt, sizeof(sec_tag_opt))); @@ -369,8 +372,12 @@ int main(void) bool redirect = false; #if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) - tls_credential_add(CA_CERTIFICATE_TAG, TLS_CREDENTIAL_CA_CERTIFICATE, - ca_certificate, sizeof(ca_certificate)); + for (int i = 0; i < ARRAY_SIZE(ca_certificates); i++) { + tls_credential_add(CA_CERTIFICATE_TAG + i, + TLS_CREDENTIAL_CA_CERTIFICATE, + ca_certificates[i], + strlen(ca_certificates[i]) + 1); + } #endif setbuf(stdout, NULL); diff --git a/samples/net/sockets/big_http_download/src/ca_certificate.h b/samples/net/sockets/big_http_download/src/ca_certificate.h index 4f3e2e266b5..462f8f0052b 100644 --- a/samples/net/sockets/big_http_download/src/ca_certificate.h +++ b/samples/net/sockets/big_http_download/src/ca_certificate.h @@ -13,10 +13,14 @@ * certificate in PEM format, you can enable support for it in Kconfig. */ -/* ISRG Root X1 for https://launchpad.net/ubuntu */ -static const unsigned char ca_certificate[] = +/* ISRG Root X1 for https://launchpad.net/ubuntu + * DigiCert Global Root G2 for possible redirects + */ +static const unsigned char *ca_certificates[] = { #include "isrgrootx1.pem" -; +, +#include "DigiCertGlobalRootG2.crt.pem" +}; #endif /* __CA_CERTIFICATE_H__ */