Topic: Question:error -188 No CA signer to verify with ASN_NO_SIGNER_E
Hi,everyone!
We have transplanted the wolfssl embedded SSL module to our platform. And our platform is a client ,and when not check the server's cert, it's ok for the handshake.
Then we add to check the server's cert as below:
tls_init_config_t cfg = {
.flags = TLS_CHECK_SERVER_CERT,
.tls.client.client_cert = NULL,
.tls.client.client_cert_size = 0,
.tls.client.ca_cert = googlerootca_cert,
.tls.client.ca_cert_size = sizeof(googlerootca_cert)-1,
};
We use google's https server for testing. Goolerootca_cert is the root ca of google, and we download from the url:https://www.google.com.
wolfSSL_CTX_load_verify_buffer () will be called . Goolerootca_cert will be loaded to check the server's ca .
After the client received the server's certificate,client will verify server's certificate.But there is a error in verifying. The error is ASN_NO_SIGNER_E. Some error logs are as below.
No CA signer to verify with
Failed to verify CA from chain
WOLFSSL Leaving DoHandShakeMsgType(), return -188
WOLFSSL Leaving DoHandShakeMsg(), return -188
Why no ca signer ?
When decoding the extension part of the cert, there are some errors as below.
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeSubjKeyId
found optional critical flag, moving past
wolfSSL Entering DecodeBasicCaConstraint
Extension type not handled, skipping
wolfSSL Entering DecodeCrlDist
found optional critical flag, moving past
Extension type not handled, skipping
Extension type not handled, skipping
Extension type not handled, skipping
wolfSSL Entering DecodeAltNames
Not DNS type
wolfSSL Entering DecodeAuthKeyId
fail: wanted OPTIONAL item 0, not available
Who can help me ? And the code:
static int _tls_session_init_client(tls_session_t *s, int sockfd,
const tls_init_config_t *cfg)
{
int ret;
SSL_METHOD *method;
#if defined(WOLFSSL_DTLS)
method = DTLSv1_client_method();
tls_d("DTLSv1!");
#elif !defined(NO_TLS)
method = SSLv23_client_method();
tls_d("SSLv23!");
#else
method = SSLv3_client_method();
tls_d("SSLv3!");
#endif
s->ctx = SSL_CTX_new(method);
if (cfg->flags & TLS_CHECK_SERVER_CERT) {
ASSERT(cfg->tls.client.ca_cert_size != 0);
/* Load server certificates from buffer */
tls_d("Loading CA certificate file. Size: %d",
cfg->tls.client.ca_cert_size);
ret = wolfSSL_CTX_load_verify_buffer(s->ctx,
cfg->tls.client.ca_cert,
cfg->tls.client.
ca_cert_size,
SSL_FILETYPE_PEM);
if (ret != SSL_SUCCESS) {
tls_e("Unable to load CA certificate");
SSL_CTX_free(s->ctx);
return -WM_FAIL;
}
} else {
tls_d("Disabling certificate check");
SSL_CTX_set_verify(s->ctx, SSL_VERIFY_NONE, 0);
}
s->ssl = SSL_new(s->ctx);
SSL_set_fd(s->ssl, sockfd);
#ifdef NON_BLOCKING
//no define NON_BLOCKING
tcp_set_nonblocking(&sockfd);
NonBlockingSSL_Connect(s->ssl);
#else
#ifndef WOLFSSL_CALLBACKS
//no define WOLFSSL_CALLBACKS
tls_d("Starting SSL connect");
/* see note at top of README */
if (SSL_connect(s->ssl) != SSL_SUCCESS) {
#ifdef CONFIG_ENABLE_ERROR_LOGS
int err = SSL_get_error(s->ssl, 0);
char buffer[80];
tls_e("err = %d, %s", err, ERR_error_string(err, buffer));
/* if you're getting an error here */
tls_e("SSL_connect failed");
#endif /* CONFIG_ENABLE_ERROR_LOGS */
tls_d("did SSL_connect");
SSL_free(s->ssl);
tls_d("did SSL_free");
SSL_CTX_free(s->ctx);
tls_d("did SSL_CTX_free");
return -WM_FAIL;
}
#else
timeout.tv_sec = 2;
timeout.tv_usec = 0;
NonBlockingSSL_Connect(s->ssl); /* will keep retrying on timeout */
#endif
#endif
showPeer(s->ssl);
s->session_setup_done = true;
tls_d("SSL Connect success");
#ifdef CONFIG_WPA2_ENTP
if (cfg->flags & TLS_WPA2_ENTP)