Topic: ASN signer error with OCSP stapling

I try the foll:

./examples/client/client  -h mozilla.org -p 443 -W  -A DigiCert_High_Assurance_EV_Root_CA.pem
err = -188, ASN no signer error to confirm failure
wolfSSL error: SSL_connect failed


and I get the above error.
When I remove the OCSP stapling part, I get

./examples/client/client  -h mozilla.org -p 443  -A DigiCert_High_Assurance_EV_Root_CA.pem
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Server response: HTTP/1.0 400 Bad request
Content-Type: text/html

<h2>Client sent a bad requ

which seems like it connected fine. Any idea why OCSP is failing

Share

Re: ASN signer error with OCSP stapling

Hi earlenceferns,

Although not in the example client usage, the "-W" parameter requires an argument.  Using your above command, to connect to mozilla.org:443 using OCSP Stapling V2, you would want to do:

$ cd wolfssl-3.9.6
$ ./configure --enable-ocspstapling2
$ make
$ ./examples/client/client -h mozilla.org -p 443 - A DigiCert_High_Assurance_EV_Root_CA.pem -W 2

Best Regards,
Chris

Re: ASN signer error with OCSP stapling

Hi Chris

Why does this have to be OCSP stapling v2? I tried -W 1 but gives another error:

wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering wolfSSL_CTX_EnableOCSP
wolfSSL Entering wolfSSL_CertManagerEnableOCSP
wolfSSL Entering InitOCSP
wolfSSL Entering SSL_set_fd
wolfSSL Leaving SSL_set_fd, return 1
wolfSSL Entering SSL_connect()
growing output buffer

wolfSSL Entering SetOcspReqExtensions
Shrinking output buffer

connect state: CLIENT_HELLO_SENT
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 40
wolfSSL error occurred, error = -313
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -313
wolfSSL Entering ERR_error_string
err = -313, revcd alert fatal error
wolfSSL error: SSL_connect failed

Share

Re: ASN signer error with OCSP stapling

Hi earlenceferns,

It appears that mozilla.org does not supports the OCSP nonce extension, you can remove it at client.c by replacing:

wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP,
                                     WOLFSSL_CSR_OCSP_USE_NONCE)

with:

wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP,
                                     0)

There was also a bug in the certificate lookup, a fix is in progress for that one. You can track it here:

https://github.com/wolfSSL/wolfssl/pull/487

[ ]'s
Moisés

Share