Error Codes
wolfSSL Error Codes
wolfSSL (formerly CyaSSL) error codes can be found in wolfssl/ssl.h
. For detailed descriptions of the following errors, see the OpenSSL man page for SSL_get_error
(man SSL_get_error
).
Error Code Enum | Error Code | Error Description |
---|---|---|
SSL_ERROR_WANT_READ |
2 | |
SSL_ERROR_WANT_WRITE |
3 | |
SSL_ERROR_WANT_CONNECT |
7 | |
SSL_ERROR_WANT_ACCEPT |
8 | |
SSL_ERROR_SYSCALL |
5 | |
SSL_ERROR_WANT_X509_LOOKUP |
83 | |
SSL_ERROR_ZERO_RETURN |
6 | |
SSL_ERROR_SSL |
85 |
Additional wolfSSL error codes can be found in wolfssl/error-ssl.h
Error Code Enum | Error Code | Error Description |
---|---|---|
INPUT_CASE_ERROR |
-301 | process input state error |
PREFIX_ERROR |
-302 | bad index to key rounds |
MEMORY_ERROR |
-303 | out of memory |
VERIFY_FINISHED_ERROR |
-304 | verify problem on finished |
VERIFY_MAC_ERROR |
-305 | verify mac problem |
PARSE_ERROR |
-306 | parse error on header |
UNKNOWN_HANDSHAKE_TYPE |
-307 | weird handshake type |
SOCKET_ERROR_E |
-308 | error state on socket |
SOCKET_NODATA |
-309 | expected data, not there |
INCOMPLETE_DATA |
-310 | don't have enough data to complete task |
UNKNOWN_RECORD_TYPE |
-311 | unknown type in record hdr |
DECRYPT_ERROR |
-312 | error during decryption |
FATAL_ERROR |
-313 | revcd alert fatal error |
ENCRYPT_ERROR |
-314 | error during encryption |
FREAD_ERROR |
-315 | fread problem |
NO_PEER_KEY |
-316 | need peer's key |
NO_PRIVATE_KEY |
-317 | need the private key |
RSA_PRIVATE_ERROR |
-318 | error during rsa priv op |
NO_DH_PARAMS |
-319 | server missing DH params |
BUILD_MSG_ERROR |
-320 | build message failure |
BAD_HELLO |
-321 | client hello malformed |
DOMAIN_NAME_MISMATCH |
-322 | peer subject name mismatch |
WANT_READ |
-323 | want read, call again |
NOT_READY_ERROR |
-324 | handshake layer not ready |
VERSION_ERROR |
-326 | record layer version error |
WANT_WRITE |
-327 | want write, call again |
BUFFER_ERROR |
-328 | malformed buffer input |
VERIFY_CERT_ERROR |
-329 | verify cert error |
VERIFY_SIGN_ERROR |
-330 | verify sign error |
CLIENT_ID_ERROR |
-331 | psk client identity error |
SERVER_HINT_ERROR |
-332 | psk server hint error |
PSK_KEY_ERROR |
-333 | psk key error |
GETTIME_ERROR |
-337 | gettimeofday failed ??? |
GETITIMER_ERROR |
-338 | getitimer failed ??? |
SIGACT_ERROR |
-339 | sigaction failed ??? |
SETITIMER_ERROR |
-340 | setitimer failed ??? |
LENGTH_ERROR |
-341 | record layer length error |
PEER_KEY_ERROR |
-342 | cant decode peer key |
ZERO_RETURN |
-343 | peer sent close notify |
SIDE_ERROR |
-344 | wrong client/server type |
NO_PEER_CERT |
-345 | peer didn't send key |
ECC_CURVETYPE_ERROR |
-350 | Bad ECC Curve Type |
ECC_CURVE_ERROR |
-351 | Bad ECC Curve |
ECC_PEERKEY_ERROR |
-352 | Bad Peer ECC Key |
ECC_MAKEKEY_ERROR |
-353 | Bad Make ECC Key |
ECC_EXPORT_ERROR |
-354 | Bad ECC Export Key |
ECC_SHARED_ERROR |
-355 | Bad ECC Shared Secret |
NOT_CA_ERROR |
-357 | Not CA cert error |
BAD_CERT_MANAGER_ERROR |
-359 | Bad Cert Manager |
OCSP_CERT_REVOKED |
-360 | OCSP Certificate revoked |
CRL_CERT_REVOKED |
-361 | CRL Certificate revoked |
CRL_MISSING |
-362 | CRL Not loaded |
MONITOR_SETUP_E |
-363 | CRL Monitor setup error |
THREAD_CREATE_E |
-364 | Thread Create Error |
OCSP_NEED_URL |
-365 | OCSP need an URL for lookup |
OCSP_CERT_UNKNOWN |
-366 | OCSP responder doesn’t know |
OCSP_LOOKUP_FAIL |
-367 | OCSP lookup not successful |
MAX_CHAIN_ERROR |
-368 | max chain depth exceeded |
COOKIE_ERROR |
-369 | dtls cookie error |
SEQUENCE_ERROR |
-370 | dtls sequence error |
SUITES_ERROR |
-371 | suites pointer error |
OUT_OF_ORDER_E |
-373 | out of order message |
BAD_KEA_TYPE_E |
-374 | bad KEA type found |
SANITY_CIPHER_E |
-375 | sanity check on cipher error |
RECV_OVERFLOW_E |
-376 | RXCB returned more than rqed |
GEN_COOKIE_E |
-377 | Generate Cookie Error |
NO_PEER_VERIFY |
-378 | Need peer cert verify Error |
FWRITE_ERROR |
-379 | fwrite problem |
CACHE_MATCH_ERROR |
-380 | cache hrd match error |
UNKNOWN_SNI_HOST_NAME_E |
-381 | Unrecognized host name Error |
UNKNOWN_MAX_FRAG_LEN_E |
-382 | Unrecognized max frag len Error |
KEYUSE_SIGNATURE_E |
-383 | KeyUse digSignature error |
KEYUSE_ENCIPHER_E |
-385 | KeyUse KeyEncipher error |
EXTKEYUSE_AUTH_E |
-386 | ExtKeyUse server |
SEND_OOB_READ_E |
-387 | Send Cb out of bounds read |
SECURE_RENEGOTIATION_E |
-388 | Invalid renegotiation info |
SESSION_TICKET_LEN_E |
-389 | Session Ticket too large |
SESSION_TICKET_EXPECT_E |
-390 | Session Ticket missing |
SCR_DIFFERENT_CERT_E |
-391 | SCR Different cert error |
SESSION_SECRET_CB_E |
-392 | Session secret CB fcn failure |
NO_CHANGE_CIPHER_E |
-393 | Finished before change cipher |
SANITY_MSG_E |
-394 | Sanity check on msg order error |
DUPLICATE_MST_E |
-395 | Duplicate message error |
SNI_UNSUPPORTED |
-396 | SSL 3.0 does not support SNI |
SOCKET_PEER_CLOSED_E |
-397 | Underlying transport closed |
BAD_TICKET_KEY_CB_SZ |
-398 | Bad session ticket key cb size |
BAD_TICKET_MSG_SZ |
-399 | Bad session ticket msg size |
BAD_TICKET_ENCRYPT |
-400 | Bad user ticket encrypt |
DH_KEY_SIZE_E |
-401 | DH key too small |
SNI_ABSENT_ERROR |
-402 | No SNI request |
RSA_SIGN_FAULT |
-403 | RSA sign fault |
HANDSHAKE_SIZE_ERROR |
-404 | Handshake message too large |
UNKNOWN_ALPN_PROTOCOL_NAME_E |
-405 | Unrecognized protocol name error |
BAD_CERTIFICATE_STATUS_ERROR |
-406 | Bad certificate status message |
OCSP_INVALID_STATUS |
-407 | Invalid OCSP status |
OCSP_WANT_READ |
-408 | OCSP callback response |
RSA_KEY_SIZE_E |
-409 | RSA key too small |
ECC_KEY_SIZE_E |
-410 | ECC key too small |
DTLS_EXPORT_VER_E |
-411 | Export version error |
INPUT_SIZE_E |
-412 | Input size too big error |
CTX_INIT_MUTEX_E |
-413 | Initialize ctx mutex error |
EXT_MASTER_SECRET_NEEDED_E |
-414 | Need EMS enabled to resume |
DTLS_POOL_SZ_E |
-415 | Exceeded DTLS pool size |
DECODE_E |
-416 | Decode handshake message error |
HTTP_TIMEOUT |
-417 | HTTP timeout for OCSP or CRL req |
WRITE_DUP_READ_E |
-418 | Write dup write side can’t read |
WRITE_DUP_WRITE_E |
-419 | Write dup read side can’t write |
INVALID_CERT_CTX_E |
-420 | TLS cert ctx not matching |
BAD_KEY_SHARE_DATA |
-421 | Key share data invalid |
MISSING_HANDSHAKE_DATA |
-422 | Handshake message missing data |
BAD_BINDER |
-423 | Binder does not match |
EXT_NOT_ALLOWED |
-424 | Extension not allowed in msg |
INVALID_PARAMETER |
-425 | Security parameter invalid |
MCAST_HIGHWATER_CB_E |
-426 | Multicast highwater cb err |
ALERT_COUNT_E |
-427 | Alert count exceeded err |
EXT_MISSING |
-428 | Required extension not found |
UNSUPPORTED_EXTENSION |
-429 | TLSX not requested by client |
PRF_MISSING |
-430 | PRF not compiled in |
DTLS_RETX_OVER_TX |
-431 | Retransmit DTLS flight over |
DH_PARAMS_NOT_FFDHE_E |
-432 | DH params from server not FFDHE |
TCA_INVALID_ID_TYPE |
-433 | TLSX TCA ID type invalid |
TCA_ABSENT_ERROR |
-434 | TLSX TCA ID no response |
Negotiation Parameter Errors
Error Code Enum | Error Code | Error Description |
---|---|---|
UNSUPPORTED_SUITE |
-500 | Unsupported cipher suite |
MATCH_SUITE_ERROR |
-501 | Can’t match cipher suite |
COMPRESSION_ERROR |
-502 | Compression mismatch |
KEY_SHARE_ERROR |
-503 | Key share mismatch |
POST_HAND_AUTH_ERROR |
-504 | Client won’t do post-hand auth |
HRR_COOKIE_ERROR |
-505 | HRR msg cookie mismatch |
wolfCrypt Error Codes
wolfCrypt error codes can be found in wolfssl/wolfcrypt/error.h
.
Error Code Enum | Error Code | Error Description |
---|---|---|
OPEN_RAN_E |
-101 | opening random device error |
READ_RAN_E |
-102 | reading random device error |
WINCRYPT_E |
-103 | windows crypt init error |
CRYPTGEN_E |
-104 | windows crypt generation error |
RAN_BLOCK_E |
-105 | reading random device would block |
BAD_MUTEX_E |
-106 | Bad mutex operation |
MP_INIT_E |
-110 | mp_init error state |
MP_READ_E |
-111 | mp_read error state |
MP_EXPTMOD_E |
-112 | mp_exptmod error state |
MP_TO_E |
-113 | mp_to_xxx error state, can't convert |
MP_SUB_E |
-114 | mp_sub error state, can't subtract |
MP_ADD_E |
-115 | mp_add error state, can't add |
MP_MUL_E |
-116 | mp_mul error state, can't multiply |
MP_MULMOD_E |
-117 | mp_mulmod error state, can't multiply mod |
MP_MOD_E |
-118 | mp_mod error state, can't mod |
MP_INVMOD_E |
-119 | mp_invmod error state, can't inv mod |
MP_CMP_E |
-120 | mp_cmp error state |
MP_ZERO_E |
-121 | got a mp zero result, not expected |
MEMORY_E |
-125 | out of memory error |
RSA_WRONG_TYPE_E |
-130 | RSA wrong block type for RSA function |
RSA_BUFFER_E |
-131 | RSA buffer error, output too small or input too large |
BUFFER_E |
-132 | output buffer too small or input too large |
ALGO_ID_E |
-133 | setting algo id error |
PUBLIC_KEY_E |
-134 | setting public key error |
DATE_E |
-135 | setting date validity error |
SUBJECT_E |
-136 | setting subject name error |
ISSUER_E |
-137 | setting issuer name error |
CA_TRUE_E |
-138 | setting CA basic constraint true error |
EXTENSIONS_E |
-139 | setting extensions error |
ASN_PARSE_E |
-140 | ASN parsing error, invalid input |
ASN_VERSION_E |
-141 | ASN version error, invalid number |
ASN_GETINT_E |
-142 | ASN get big int error, invalid data |
ASN_RSA_KEY_E |
-143 | ASN key init error, invalid input |
ASN_OBJECT_ID_E |
-144 | ASN object id error, invalid id |
ASN_TAG_NULL_E |
-145 | ASN tag error, not null |
ASN_EXPECT_0_E |
-146 | ASN expect error, not zero |
ASN_BITSTR_E |
-147 | ASN bit string error, wrong id |
ASN_UNKNOWN_OID_E |
-148 | ASN oid error, unknown sum id |
ASN_DATE_SZ_E |
-149 | ASN date error, bad size |
ASN_BEFORE_DATE_E |
-150 | ASN date error, current date before |
ASN_AFTER_DATE_E |
-151 | ASN date error, current date after |
ASN_SIG_OID_E |
-152 | ASN signature error, mismatched oid |
ASN_TIME_E |
-153 | ASN time error, unknown time type |
ASN_INPUT_E |
-154 | ASN input error, not enough data |
ASN_SIG_CONFIRM_E |
-155 | ASN sig error, confirm failure |
ASN_SIG_HASH_E |
-156 | ASN sig error, unsupported hash type |
ASN_SIG_KEY_E |
-157 | ASN sig error, unsupported key type |
ASN_DH_KEY_E |
-158 | ASN key init error, invalid input |
ASN_CRIT_EXT_E |
-160 | ASN unsupported critical extension |
ECC_BAD_ARG_E |
-170 | ECC input argument of wrong type |
ASN_ECC_KEY_E |
-171 | ASN ECC bad input |
ECC_CURVE_OID_E |
-172 | Unsupported ECC OID curve type |
BAD_FUNC_ARG |
-173 | Bad function argument provided |
NOT_COMPILED_IN |
-174 | Feature not compiled in |
UNICODE_SIZE_E |
-175 | Unicode password too big |
NO_PASSWORD |
-176 | no password provided by user |
ALT_NAME_E |
-177 | alt name size problem, too big |
AES_GCM_AUTH_E |
-180 | AES-GCM Authentication check failure |
AES_CCM_AUTH_E |
-181 | AES-CCM Authentication check failure |
CAVIUM_INIT_E |
-182 | Cavium Init type error |
COMPRESS_INIT_E |
-183 | Compress init error |
COMPRESS_E |
-184 | Compress error |
DECOMPRESS_INIT_E |
-185 | DeCompress init error |
DECOMPRESS_E |
-186 | DeCompress error |
BAD_ALIGN_E |
-187 | Bad alignment for operation, no alloc |
ASN_NO_SIGNER_E |
-188 | ASN sig error, no CA signer to verify certificate |
ASN_CRL_CONFIRM_E |
-189 | ASN CRL no signer to confirm failure |
ASN_CRL_NO_SIGNER_E |
-190 | ASN CRL no signer to confirm failure |
ASN_OCSP_CONFIRM_E |
-191 | ASN OCSP signature confirm failure |
BAD_ENC_STATE_E |
-192 | Bad ecc enc state operation |
BAD_PADDING_E |
-193 | Bad padding, msg not correct length |
REQ_ATTRIBUTE_E |
-194 | Setting cert request attributes error |
PKCS7_OID_E |
-195 | PKCS#7, mismatched OID error |
PKCS7_RECIP_E |
-196 | PKCS#7, recipient error |
FIPS_NOT_ALLOWED_E |
-197 | FIPS not allowed error |
ASN_NAME_INVALID_E |
-198 | ASN name constraint error |
RNG_FAILURE_E |
-199 | RNG Failed, Reinitialize |
HMAC_MIN_KEYLEN_E |
-200 | FIPS Mode HMAC Minimum Key Length error |
RSA_PAD_E |
-201 | RSA Padding Error |
LENGTH_ONLY_E |
-202 | Returning output length only |
IN_CORE_FIPS_E |
-203 | In Core Integrity check failure |
AES_KAT_FIPS_E |
-204 | AES KAT failure |
DES3_KAT_FIPS_E |
-205 | DES3 KAT failure |
HMAC_KAT_FIPS_E |
-206 | HMAC KAT failure |
RSA_KAT_FIPS_E |
-207 | RSA KAT failure |
DRBG_KAT_FIPS_E |
-208 | HASH DRBG KAT failure |
DRBG_CONT_FIPS_E |
-209 | HASH DRBG Continuous test failure |
AESGCM_KAT_FIPS_E |
-210 | AESGCM KAT failure |
THREAD_STORE_KEY_E |
-211 | Thread local storage key create failure |
THREAD_STORE_SET_E |
-212 | Thread local storage key set failure |
MAC_CMP_FAILED_E |
-213 | MAC comparison failed |
IS_POINT_E |
-214 | ECC is point on curve failed |
ECC_INF_E |
-215 | ECC point infinity error |
ECC_PRIV_KEY_E |
-216 | ECC private key not valid error |
SRP_CALL_ORDER_E |
-217 | SRP function called in the wrong order |
SRP_VERIFY_E |
-218 | SRP proof verification failed |
SRP_BAD_KEY_E |
-219 | SRP bad ephemeral values |
ASN_NO_SKID |
-220 | ASN no Subject Key Identifier found |
ASN_NO_AKID |
-221 | ASN no Authority Key Identifier found |
ASN_NO_KEYUSAGE |
-223 | ASN no Key Usage found |
SKID_E |
-224 | Setting Subject Key Identifier error |
AKID_E |
-225 | Setting Authority Key Identifier error |
KEYUSAGE_E |
-226 | Bad Key Usage value |
CERTPOLICIES_E |
-227 | Setting Certificate Policies error |
WC_INIT_E |
-228 | wolfCrypt failed to initialize |
SIG_VERIFY_E |
-229 | wolfCrypt signature verify error |
BAD_PKCS7_SIGNEEDS_CHECKCOND_E |
-230 | Bad condition variable operation |
SIG_TYPE_E |
-231 | Signature Type not enabled/available |
HASH_TYPE_E |
-232 | Hash Type not enabled/available |
WC_KEY_SIZE_E |
-234 | Key size error, either too small or large |
ASN_COUNTRY_SIZE_E |
-235 | ASN Cert Gen, invalid country code size |
MISSING_RNG_E |
-236 | RNG required but not provided |
ASN_PATHLEN_SIZE_E |
-237 | ASN CA path length too large error |
ASN_PATHLEN_INV_E |
-238 | ASN CA path length inversion error |
BAD_KEYWRAP_ALG_E |
-239 | Algorithm error with keywrap |
BAD_KEYWRAP_IV_E |
-240 | Decrypted AES key wrap IV incorrect |
WC_CLEANUP_E |
-241 | wolfCrypt cleanup failed |
ECC_CDH_KAT_FIPS_E |
-242 | ECC CDH known answer test failure |
DH_CHECK_PUB_E |
-243 | DH check public key error |
BAD_PATH_ERROR |
-244 | Bad path for opendir |
ASYNC_OP_E |
-245 | Async operation error |
ECC_PRIVATEONLY_E |
-246 | Invalid use of private only ECC key |
EXTKEYUSAGE_E |
-247 | Bad extended key usage value |
WC_HW_E |
-248 | Error with hardware crypto use |
WC_HW_WAIT_E |
-249 | Hardware waiting on resource |
PSS_SALTLEN_E |
-250 | PSS length of salt is too long for hash |
PRIME_GEN_E |
-251 | Failure finding a prime |
BER_INDEF_E |
-252 | Cannot decode indefinite length BER |
RSA_OUT_OF_RANGE_E |
-253 | Ciphertext to decrypt out of range |
RSAPSS_PAT_FIPS_E |
-254 | RSA-PSS PAT failure |
ECDSA_PAT_FIPS_E |
-255 | ECDSA PAT failure |
DH_KAT_FIPS_E |
-256 | DH KAT failure |
AESCCM_KAT_FIPS_E |
-257 | AESCCM KAT failure |
SHA3_KAT_FIPS_E |
-258 | SHA-3 KAT failure |
ECDHE_KAT_FIPS_E |
-259 | ECDHE KAT failure |
AES_GCM_OVERFLOW_E |
-260 | AES-GCM invocation counter overflow |
AES_CCM_OVERFLOW_E |
-261 | AES-CCM invocation counter overflow |
RSA_KEY_PAIR_E |
-262 | RSA Key Pair-Wise consistency check fail |
DH_CHECK_PRIVE_E |
-263 | DH check private key error |
WC_AFALG_SOCK_E |
-264 | AF_ALG socket error |
WC_DEVCRYPTO_E |
-265 | /dev/crypto error |
ZLIB_INIT_ERROR |
-266 | Zlib init error |
ZLIB_COMPRESS_ERROR |
-267 | Zlib compression error |
ZLIB_DECOMPRESS_ERROR |
-268 | Zlib decompression error |
PKCS7_NO_SIGNER_E |
-269 | No signer in PKCS7 signed data msg |
WC_PKCS7_WANT_READ_E |
-270 | PKCS7 stream operation wants more input |
CRYPTOCB_UNAVAILABLE |
-271 | Crypto callback unavailable |
PKCS7_SIGNEEDS_CHECK |
-272 | Signature needs verified by caller |
ASN_SELF_SIGNED_E |
-275 | ASN self-signed certificate error |
MIN_CODE_E |
-300 | errors -101 - -299 |
Common Error Codes and their Solution
There are several error codes that commonly happen when getting an application up and running with wolfSSL.
ASN_NO_SIGNER_E
(-188)
This error occurs when using a certificate and the signing CA certificate was not loaded. This can be seen using the wolfSSL example server or client against another client or server, for example connecting to Google using the wolfSSL example client:
./examples/client/client -g -h www.google.com -p 443
This fails with error -188 because Google’s CA certificate wasn’t loaded with the “-A
” command line option.
WANT_READ
(-323)
The WANT_READ
error happens often when using non-blocking sockets, and isn’t actually an error when using non-blocking sockets, but it is passed up to the caller as an error. When a call to receive data from the I/O callback would block as there isn’t data currently available to receive, the I/O callback returns WANT_READ
. The caller should wait and try receiving again later. This is usually seen from calls to wolfSSL_read()
, wolfSSL_negotiate()
, wolfSSL_accept()
, and wolfSSL_connect()
. The example client and server will indicate the WANT_READ
incidents when debugging is enabled.