1 (edited by petrich 2015-04-30 19:16:33)

Topic: [SOLVED] altname check failure?

Dear Team,

Does wolfSSL have, in this case, any altname check issues?

wget http://www.startssl.com/certs/ca.pem
examples/client/client -p 443 -m -v 1 -A ./ca.pem -h jabber.se

Fails with:

err = -322, peer subject name mismatch
wolfSSL error: SSL_connect failed

While

examples/client/client -p 443 -m -v 1 -A ./ca.pem -h www.jabber.se

Works.

peer's cert info:
issuer : /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
subject: /C=SE/CN=www.jabber.se/emailAddress=postmaster@jabber.se
altname = jabber.se
altname = www.jabber.se
serial number:10:36:d9
SSL version is TLSv1
SSL cipher suite is TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Any ideas why "altname = jabber.se" is being ignored?

Thank you in advance for help
Hans-Juergen Petrich

Share

Re: [SOLVED] altname check failure?

First, the jabber.se certificate expired on May 1st.

Which version of wolfSSL embedded SSL are you using? I'm connecting with the latest commit from GitHub and the altName is not getting ignored. (By the way, add -g to your client command. It'll do an HTTP "GET /" message to the server.)

How are you configuring the library? There was an issue where the altNames were getting lost when you had KEEP_PEER_CERT enabled. (I believe the fix was released in version 3.4.8. It was commit 50e829e.)

Re: [SOLVED] altname check failure?

John, thank you for your reply.
I used wolfSSL 3.4.6.
Configure was:

./configure C_EXTRA_FLAGS="-DNO_CYASSL_SERVER" --enable-opensslextra --enable-sni --enable-sessioncerts --enable-hc128 --with-ntru=/usr

The same configure but compiled with the latest github sources (3.4.8) it works now.

Thank you again
Greetings
Hans-Juergen Petrich

Share

Re: [SOLVED] altname check failure?

--enable-openssl also defines KEEP_PEER_CERT.

I'm glad to see that it is working for you now.