• Registered: 2015-08-19
  • Posts: 6

Topic: [SOLVED] CA signer not available for verification

Hello,

I tried to use multiple SSL Solutions with curl and found CyaSSL / wolfSSL and tried that one:
Infact, it is one of the only SSL engines "really working" on OpenWRT 14.07 without needing about 20 seconds on an older router to curl one https site - so kudos for that smile!

I am using OpenWRT 14.07, compiled by myself, for an WGT634U (Legacy Branch).
I left most settings on default, only changed CyaSSL to default SSL Engine, as well as I choose it in curl.
After installing on the router, I also installed ca-certificates.

I can access an site like google - but only with the use of the insecure switch -k.
Other than that, I get an curl: (77) CA signer not available for verification error.

The Website I try to access via curl does also use 4096 Bit Certificates, and I thought there was some problem with that size. Is there any possiblity to get that error fixed in the stable OpenWRT branch, or can I change something myself in the package to get myself up and running without --insecure?

Thanks a lot!


curl -v:
curl 7.38.0 (mipsel-openwrt-linux-gnu) libcurl/7.38.0 CyaSSL/3.2.0
Protocols: http https
Features: Largefile SSL

Share

  • john
  • Moderator
  • Offline
  • From: Seattle, WA
  • Registered: 2011-11-14
  • Posts: 148

Re: [SOLVED] CA signer not available for verification

Which CA certificate are you using for Google? Make sure in your CA bolus you have the "Equifax Secure Certificate Authority" CA certificate.

As for 4096-bit RSA certificates, since I'm assuming you are using fast math, you need to "#define FP_MAX_BITS 8192" in wolfSSL. By default, the max bits setting is good for doing 2048-bit RSA keys.

john's Website

Share

  • Registered: 2015-08-19
  • Posts: 6

Re: [SOLVED] CA signer not available for verification

OK, I could get it to work for Google, but only if I really give the needed cert to curl via --cacert by hand, like shown here:

curl --cacert /etc/ssl/certs/Equifax_Secure_CA.crt https://www.google.de

Otherwise, I get the usual error about CA signer not available for verification.

The Website I try to curl, https://www.jctixx.de does use Comodo Positive SSL, which does use the AddTrust External CA Root Certificate. I have that one in my cert space as well, and tried to curl jctixx.de the same way, however, it does not give back anything else than curl: (77) CA signer not available for verification error.

Any ideas how to solve that?

Thanks a lot!

Share

  • From: Bozeman, MT
  • Registered: 2010-10-20
  • Posts: 650

Re: [SOLVED] CA signer not available for verification

Hi,

I was able to connect to https://ww.jctixx.de using the wolfSSL example client, using the attached CA certificate.

$ cd wolfssl-3.6.6
$ ./configure
$ make
$ ./examples/client/client -h www.jctixx.de -p 443 -A addtrustexternalcaroot.crt -g

Is this the same CA root that you are using when connecting to that site?

Best Regards,
Chris

Post's attachments

addtrustexternalcaroot.crt 1.49 kb, 2 downloads since 2015-08-25 

You don't have the permssions to download the attachments of this post.
https://www.wolfssl.com

chrisc's Website

Share

  • Registered: 2015-08-19
  • Posts: 6

Re: [SOLVED] CA signer not available for verification

Yes, its the same CA root.
I just tried it with yours again - and it did fail.
The current stable OpenWRT Release does only include CyaSSL 3.2.0.
Maybe thats too old.

"curl 7.38.0 (mipsel-openwrt-linux-gnu) libcurl/7.38.0 CyaSSL/3.2.0
Protocols: http https
Features: Largefile SSL "

However, I did also try with the trunk Version, I think it was version 3.6.0 - and it did not work with curl, only if curl was built with OpenSSL or gnutls. I would still like to use wolfSSL/CyaSSL, as I see it is more efficient.

Share

  • From: Bozeman, MT
  • Registered: 2010-10-20
  • Posts: 650

Re: [SOLVED] CA signer not available for verification

Hi,

It's interesting that you aren't able to connect to https://www.jctixx.de, using the attached certificate above.

On my development machine (OSX), I was able to compile cURL and wolfSSL and connect to the server above using the addtrustexternalcaroot.crt certificate.  I was using:

wolfSSL (current GitHub HEAD: https://github.com/wolfssl/wolfssl)
cURL (curl 7.39.0)

curl --cacert ~/Downloads/addtrustexternalcaroot.crt https://www.jctixx.de

I noticed that several certificates in that server's cert chain used 4096-bit RSA keys.  Do you know what settings have been used to compile wolfSSL/CyaSSL?  If wolfSSL has been compiled to use the fastmath library (USE_FAST_MATH), FP_MAX_BITS in ./wolfssl/wolfcrypt/tfm.h will need to be set to 8192 to accommodate 4096-bit RSA keys.  You can either change this in tfm.h, or add it to the preprocessor flags when compiling wolfSSL.

Thanks,
Chris

https://www.wolfssl.com

chrisc's Website

Share

  • Registered: 2015-08-19
  • Posts: 6

Re: [SOLVED] CA signer not available for verification

Yes, I have changed the files correctly to incorporate the changes needed for 4096 bit certificates.
However, it did not work.
Could be because of the fact that the version of stable CyaSSL package in OpenWRT 14.07 is fairly old (3.2.0).

Share

  • From: Bozeman, MT
  • Registered: 2010-10-20
  • Posts: 650

Re: [SOLVED] CA signer not available for verification

Your comment about the version made me go back and test using an older version of CyaSSL (3.2.0).  At first using our example client to connect to your server failed with the older version.  In order to get it to work, I needed to:

1.  Define FP_MAX_BITS to 8192 (since two of the certs in the chain use 4096-bit keys)
2.  Compile CyaSSL/wolfSSL with SHA-512 enabled (--enable-sha512).  This enables SHA-384 as well.  One of the chain certificates uses SHA-384 w/ RSA as a Signature Algorithm.

Can you try #2 above and see if it fixes your issue?

Thanks,
Chris

https://www.wolfssl.com

chrisc's Website

Share

  • Registered: 2015-08-19
  • Posts: 6

Re: [SOLVED] CA signer not available for verification

Thanks a lot Chris,
that did it.
So in the end I had to define FP_MAX_BITS to 8192, then change the MAX_DH_SZ to 1036 and finally compile SHA-512 enabled (--enable-sha512).
Then it did work.

Regards

Share

  • From: Bozeman, MT
  • Registered: 2010-10-20
  • Posts: 650

Re: [SOLVED] CA signer not available for verification

Glad things are working now  smile

https://www.wolfssl.com

chrisc's Website

Share

  • Registered: 2015-08-19
  • Posts: 6

Re: [SOLVED] CA signer not available for verification

Thanks for your help.
Just a quick question - this: https://dev.openwrt.org/browser/trunk/p … ?rev=42526 is the Makefile of the Cyassl 3.2.0 in OpenWRT. I managed to add the --enable-sha512 bit on my local version. Do you see any possibility to do both other changes (FP_MAX_BITS 8192 and MAX_DH_SZ 1036) via that Makefile - so that on does not to change the source files by hand?
That would be awesome smile!
Thanks!

Share