samples: net: http_get: Update root CA certificate
The root CA used so far (GlobalSign R2) is about to expire soon
(December 2021) and Google have switched to a new certificate, signed by
GlobalSign R1 (valid until 2028). Therefore we need to replace the
root CA used by the sample to the new one, in order to establish secure
connection to with google.com.
Additionally, the new certificate chain sent by Google is larger again,
so it's needed to increase mbed TLS max content length parameter in
order to process it correctly. This also implies an increase in heap
usage, so increase the heap size as well.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
diff --git a/samples/net/sockets/http_get/CMakeLists.txt b/samples/net/sockets/http_get/CMakeLists.txt
index 4813c95..b00571f 100644
--- a/samples/net/sockets/http_get/CMakeLists.txt
+++ b/samples/net/sockets/http_get/CMakeLists.txt
@@ -14,6 +14,6 @@
generate_inc_file_for_target(
app
- src/globalsign_r2.der
- ${gen_dir}/globalsign_r2.der.inc
+ src/globalsign_r1.der
+ ${gen_dir}/globalsign_r1.der.inc
)
diff --git a/samples/net/sockets/http_get/overlay-tls.conf b/samples/net/sockets/http_get/overlay-tls.conf
index ee18eb6..940d7f0 100644
--- a/samples/net/sockets/http_get/overlay-tls.conf
+++ b/samples/net/sockets/http_get/overlay-tls.conf
@@ -4,7 +4,7 @@
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_BUILTIN=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
-CONFIG_MBEDTLS_HEAP_SIZE=30000
-CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=6144
+CONFIG_MBEDTLS_HEAP_SIZE=40000
+CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=7168
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
diff --git a/samples/net/sockets/http_get/src/ca_certificate.h b/samples/net/sockets/http_get/src/ca_certificate.h
index 8ccfe5c..9668552 100644
--- a/samples/net/sockets/http_get/src/ca_certificate.h
+++ b/samples/net/sockets/http_get/src/ca_certificate.h
@@ -13,12 +13,12 @@
* certificate in PEM format, you can enable support for it in Kconfig.
*/
-/* GlobalSign Root CA - R2 for https://google.com */
+/* GlobalSign Root CA - R1 for https://google.com */
#if defined(CONFIG_TLS_CREDENTIAL_FILENAMES)
-static const unsigned char ca_certificate[] = "globalsign_r2.der";
+static const unsigned char ca_certificate[] = "globalsign_r1.der";
#else
static const unsigned char ca_certificate[] = {
-#include "globalsign_r2.der.inc"
+#include "globalsign_r1.der.inc"
};
#endif
diff --git a/samples/net/sockets/http_get/src/globalsign_r1.der b/samples/net/sockets/http_get/src/globalsign_r1.der
new file mode 100644
index 0000000..1e6967f
--- /dev/null
+++ b/samples/net/sockets/http_get/src/globalsign_r1.der
Binary files differ
diff --git a/samples/net/sockets/http_get/src/globalsign_r2.der b/samples/net/sockets/http_get/src/globalsign_r2.der
deleted file mode 100644
index 4d93718..0000000
--- a/samples/net/sockets/http_get/src/globalsign_r2.der
+++ /dev/null
Binary files differ
