samples: net: http_get: Update root CA certificate

The root CA used so far (GlobalSign R2) is about to expire soon
(December 2021) and Google have switched to a new certificate, signed by
GlobalSign R1 (valid until 2028). Therefore we need to replace the
root CA used by the sample to the new one, in order to establish secure
connection to with google.com.

Additionally, the new certificate chain sent by Google is larger again,
so it's needed to increase mbed TLS max content length parameter in
order to process it correctly. This also implies an increase in heap
usage, so increase the heap size as well.

Signed-off-by: Robert Lubos <[email protected]>

Author: rlubos

samples/net/sockets/http_get/CMakeLists.txt

@@ -14,6 +14,6 @@ set(gen_dir ${ZEPHYR_BINARY_DIR}/include/generated/)
 
 generate_inc_file_for_target(
     app
-    src/globalsign_r2.der
-    ${gen_dir}/globalsign_r2.der.inc
+    src/globalsign_r1.der
+    ${gen_dir}/globalsign_r1.der.inc
     )

samples/net/sockets/http_get/overlay-tls.conf

@@ -4,7 +4,7 @@ CONFIG_MAIN_STACK_SIZE=4096
 CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_BUILTIN=y
 CONFIG_MBEDTLS_ENABLE_HEAP=y
-CONFIG_MBEDTLS_HEAP_SIZE=30000
-CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=6144
+CONFIG_MBEDTLS_HEAP_SIZE=40000
+CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=7168
 
 CONFIG_NET_SOCKETS_SOCKOPT_TLS=y

samples/net/sockets/http_get/src/ca_certificate.h

@@ -13,12 +13,12 @@
  * certificate in PEM format, you can enable support for it in Kconfig.
  */
 
-/* GlobalSign Root CA - R2 for https://google.com */
+/* GlobalSign Root CA - R1 for https://google.com */
 #if defined(CONFIG_TLS_CREDENTIAL_FILENAMES)
-static const unsigned char ca_certificate[] = "globalsign_r2.der";
+static const unsigned char ca_certificate[] = "globalsign_r1.der";
 #else
 static const unsigned char ca_certificate[] = {
-#include "globalsign_r2.der.inc"
+#include "globalsign_r1.der.inc"
 };
 #endif