HTTPS (TLS) using the M1-N1

An HTTPS connection is a HTTP connection wrapped in a TLS secure layer. This connection generaly requires authentication of the server only, so it needs only one trusted certificate to be loaded. This example demonstrates the loading a certificate, opening a TCP socket with TLS, and issuing an HTTP request over this secure socket.

First we must load the certificate for the site we want to connect to. This is done once for the life of the product, but care must be taken to notice that each certificate has an expiration data and that you have a way to update expired certificates. It can become impossible to update a certificate remotely, if you rely on the expired certificate for the connection that is managing your updates. It is necessary to update it before it expires, or to use a different certificate/connection strictly for FOTA updates of the certificates.

The Signetik IoT API has a variable sectagq which is used to set the security tag for queries and setting certificates, without changing the security tag being used for your connection. The security tag is a number that can be quite large, but it is best to use numbers under 1000, unless you check Nordic documentation to avoid overwriting some default certificates.

Set the security tag where the certificate is to be loaded.

+set,sectagq:22

You should see the following response for success.

+rsp,sectagq:22

Next load the certificate, one time for all future connections.

+set,cacert:"-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----
"

 NOTE: When pasting the certificate command above in a terminal, it is important that the terminal is set to send linefeeds (LF) and not carriage returns (CR) at the end of each line.

When the certificate is loaded, a succes sis a result of 0:

+rsp,cacert:0

At this point, since this is a one-time loading of certificates, you can reboot the system or send an AT command to turn the modem back on. The modem was set to CFUN=4 to load the certs and will not operate unless set back to 1.

+set,at:at+cfun=1

The response:

+rsp,at:OK

Now set the security tag to use for the connection. This tells the TLS layer to use the certificates loaded in slot 22. Setting sectag to 0 will tell the modem to NOT use any TLS.

+set,sectag:22

The response:

+rsp,sectag:22

From this point forward, we are simply performing an HTTP GET, but we use port 443. The Following commands would also work on port 80, if sectag is set to 0, and thus, with no TLS.

Set the URI of the request. Here we use a single slash to get the root (or index) of the website.

The responses "+rsp" will be shown with each command below.

+set,uri:/
+rsp,uri:/

Set the server address for the HTTP request. This is not the server to connect to, but the information that goes into the request. Generally it is same as the connection point, but for virtual hosts, it may not be so.

+set,server_address:www.google.com
+rsp,server_address:www.google.com

Open a TCP socket to google.com on port 443, where the TLS is listening.

+tcp_open,host:google.com,port:443
+rsp,result:0,socket:4,error:0

The above response needs to be parsed by the controlling processor to extract the socket number. It is 4 in this example, but it could be any value, depending upon how many sockets are opened. This value needs to be used on further socket commands.

Perform an HTTP GET on socket 4

+http_get,socket:4
+rsp,result:0

This will send the request using the server_address and uri set above. The response will come asynchronously with +notify messages. Multiple +notify messages can be received and should be parsed and removed.

Following is a truncated example of the request response in notify messages

+notify,event:tcp_receive,data:
HTTP/1.1 200 OK
Date: Thu, 31 Oct 2024 01:06:24 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-HXsyxvvP5zI8azKt-oK6ng' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Accept-CH: Sec-CH-Prefers-Color-Scheme
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
+notify,event:tcp_receive,data:

X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7cp7A01DUMb7iuYJhIQIXSz8tuVuCmRUjaEAzVviSDRA7MSLGuiHpcg; expires=Tue, 29-Apr-2025 01:06:24 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Set-Cookie: NID=518=soGobT4kpj8xwXJhJeShsED27PLC8XmtSwC5R821Yd7CTqQf1iE7vvDC57JP1hhZJTvBzT5Lglj4KXlU3yQUc8EWXLdgDMofIJvaj53vUEQGw5mOG3D2DJZPyM5JsS-Njm2-9scsqbHWadMwDgxTpu5gzEEQENXnhFhh_it3no9H-By2g0MQCxuhvjsa3EO-MDA; expires=Fri, 02-May-2025 01:06:24 GMT; path=/; domain=.google.com;
[00:06:32.642,730] <inf> modem_asc: HTTP header length: 66
[00:06:32.642,761] <inf> modem_interface: Sending 66 bytes to socket 4
[00:06:32.642,761] <inf> modem_interface: data:
GET // HTTP/1.1
Host: www.goo~
[00:06:32.651,794] <inf> modem_interface: Client packet sent: 66 bytes
[00:06:32.653,106] <inf> modem_asc: HTTP GET send successful.
+notify,event:tcp_receive,data:
HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

After receiving the data, close socket 4. Failure to close sockets, will cause the limited number of sockets to be exhausted, prohibiting further connections.

+tcp_close,socket:4
+rsp,result:0