Topic: Help with err = -188, ASN no signer to confirm failure

Hi,

I'm getting the above error when running the example client in the JNI package to connect to a DTLS server (by BouncyCastle).  Specifically:
- wolfssl configured with "--enable-jni" and "--enable-dtls" and built on a linux platform (all the tests pass)
- the example certificates in the wolfssljni pakcage used by both the wolfssl client and BC server (on the Windows platform)
- "server-cert.pem', "server-key.pem" and "ca-cert.pem" are used as server credentials
- the client is run with "-u -v 2"

FYI, the wolfssl jni server works with the BC client using the same set of the example certificates in the wolfssl jni package. 

Any help would be greatly appreciated.

Thanks,
--Hyong

Share

Re: Help with err = -188, ASN no signer to confirm failure

Hi hyongsop,

It sounds like you have used our test certificates in JNI server and connected the wolfJNI server with the BC client and that works.

Then you tried connecting to BC server with wolfJNI client and that did not work but instead returned a -188 error correct?


If that is the case you have two options:

#1 You need to procure the certificate authority for the BC server, copy it over to linux and load it into the wolfJNI client with these options:

-u -v 2 -A <path-to>/BC-CA-certificate.pem

#2 You can opt to disable peer authentication just to see if the connection is working with these options:

-u -v 2 -d

By default wolfSSL clients try to always authenticate the peer server as this should be "default" behavior for "best" security practices. It sounds like you did not have to copy our ca-cert.pem over to windows BC client before testing that connection so I would assume they are not doing peer authentication by default. That is not good security practice and I would recommend against following this pattern of behavior if that is indeed the case.

Warm Regards,

Kaleb

Re: Help with err = -188, ASN no signer to confirm failure

Hi,

Thanks for the response.

Actually, I copied the wolfssl example certificates to the Windows and modified the BC client to use them (without the "-d" option) successfully to establish connection with the wolfssl jni server and exchange data with it. 

The above problem occurred when I tried to use the BC server (modified to use the wolfssl certs) with the wolfssl jni client.

I just copied the BC's example certs over to where the wolfssl jni is installed and tried to run the wolfssl jni client with the BC server (using the BC certs).  This time, I get a different error (err = -362, CRL misssing):

=== begin ===
~/wolfssl/wolfssljni$ ./examples/client.sh -u -v 2 -c ../certs/bc/x509-client.pem -k ../certs/bc/x509-client-key.pem -A ../certs/bc/x509-ca.pem -h windows_ip_addr -p 5556
Registered I/O callbacks
Entered MyMissingCRLCallback, url =
Hello from Java verify callback!
peer cert verification failed
wolfSSL_connect failed. err = -362, CRL missing, not loaded
=== end ===

Thanks again for your response and look forward to any thoughts you have on this.

--Hyong

Share

Re: Help with err = -188, ASN no signer to confirm failure

Hi hyongsop,

Ok this makes sense. Thanks for the info. By default our jni client example tries to load a Certificate Revocation List (CRL) to make sure your servers certificate is not an untrusted certificate. However our test CRL is related to our test ca-cert.pem You can either remove this code block from the test Client.java

343 //            ret = ssl.enableCRL(WolfSSL.WOLFSSL_CRL_CHECKALL);                
344 //            if (ret != WolfSSL.SSL_SUCCESS) {                                 
345 //                System.out.println("failed to enable CRL check");             
346 //                System.exit(1);                                               
347 //            }                                                                 
348 //            ret = ssl.loadCRL(crlPemDir, WolfSSL.SSL_FILETYPE_PEM, 0);        
349 //            if (ret != WolfSSL.SSL_SUCCESS) {                                 
350 //                System.out.println("can't load CRL, check CRL file and date " +
351 //                        "validity");                                          
352 //                System.exit(1);                                               
353 //            }                                                                 
354 //            MyMissingCRLCallback crlCb = new MyMissingCRLCallback();          
355 //            ret = ssl.setCRLCb(crlCb);                                        
356 //            if (ret != WolfSSL.SSL_SUCCESS) {                                 
357 //                System.out.println("can't set CRL callback");                 
358 //                System.exit(1);                                               
359 //            }

Or you can generate a CRL that is related to your new ca (certs/bc/x509-ca.pem). To see how we generate our test CRL please see the script in <wolfssl-root>/certs/crl/gencrls.sh.


Regards,

Kaleb

Re: Help with err = -188, ASN no signer to confirm failure

Hi,

I commented out the lines in Client.java to disable the CRL check.  Now I'm back to getting the same error (err = -188):

=== begin ===
./examples/client.sh -u -v 2 -c ../certs/bc/x509-client.pem -k ../certs/bc/x509-client-key.pem -A ../certs/bc/x509-ca.pem -h windows_ip_addr -p 5556
Registered I/O callbacks
Hello from Java verify callback!
peer cert verification failed
wolfSSL_connect failed. err = -188, ASN no signer error to confirm failure
=== end ===

So the situation is that the "ASN no signer to confirm failure" error occurs with both the BC certs and wolfssl certs when the wolfssl jni client tries to establish the DTLS connection with the BC server.  Obviously, the DTLS handshake doesn't even start. 

Thanks again and look forward to getting your input on this.
--Hyong

Share

Re: Help with err = -188, ASN no signer to confirm failure

Hi hyongsop,

Could you attach the certificates from the BC server?

It sounds like the BC server may be using a certificate NOT signed by the x509ca.pem you loaded with the -A option above. Perhaps it's a self-signed certificate instead of a cert signed by a CA. In which case you would want to load just the servers cert itself in the -A parameter instead of the x509-ca.pem

Either way being able to look at the Subject and Issuers lines of the certs you are using would be helpful to determine the issue.


Regards,

Kaleb

Re: Help with err = -188, ASN no signer to confirm failure

Hi,

Thanks for the response.

In the attached is 'x509-ca.pem.'  I did verify that the ca's cert is self signed (both the issuer and subject are "CN=BouncyCastle TLS Test CA") and that the server's cert, x509-server.pem, has the "CN=BouncyCastle TLS Test CA" as its issuer. 

As per your suggestion, I tried the client with "-A ../certs/bc/x509-server.pem".  I also combined the ca and server certs into a single pem file and used that for the '-A' argument.  Both produced the same no signer error...

I also checked that the wolfssl's ca cert is also self-signed.  The main difference between the wolfssl's ca cert and BC's ca cert seems to be the key length (wolfssl = 2048 bits, BC = 2432 bits).  Would it make a difference?  I don't think so; when I tried the same test with the wolfssl's certs, I was getting the same error.

Thanks again for your support.
--Hyong

Share

Re: Help with err = -188, ASN no signer to confirm failure

Hi hyongsop,

The attachment did not make it through, could you re-send or copy into a "code" block here?

A key length of 2432 is a non-standard key length. Typically RSA keys are evenly divisible by 1024 (1024, 2048, 3072, 4096... etc). I would be curious to see it regardless.

When you tested with the wolfSSL certificates, again just to confirm, you copied our certs over to your windows machine and loaded the wolfSSL certificates into the BC server before attempting to connect the client correct?


It is possible there may be a bug in the JNI client but that is doubtful as it is widely used and well tested. Have you tested against the BC server using the client example that ships with wolfSSL?

You could test by running this command from <wolfssl-root> directory after you have configure and made our library:

./examples/client/client <same arguments as used in JNI client>

The JNI client and examples/client take the same command line arguments so you'd just need to copy/paste your certs into <wolfssl-root>/certs directory and instead of ../certs/<certname> just use ./certs/<certname>

Regards,

Kaleb

Re: Help with err = -188, ASN no signer to confirm failure

Hi,

Kaleb J. Himes wrote:

Hi hyongsop,

The attachment did not make it through, could you re-send or copy into a "code" block here?

A key length of 2432 is a non-standard key length. Typically RSA keys are evenly divisible by 1024 (1024, 2048, 3072, 4096... etc). I would be curious to see it regardless.

I added the content of the x509-ca.pem file at the end.

Kaleb J. Himes wrote:

Have you tested against the BC server using the client example that ships with wolfSSL?

This is the scenario that I've been trying to get it going without success.

I've just tried the wolfssl client with the wolfssl server using the BC's certs, and they worked (after disabling the CRL check in the Server first).  Below show how I ran the server and client:

./examples/server.sh -u -v 2 -c ../certs/bc/x509-server.pem -k ../certs/bc/x509-server-key.pem -A ../certs/bc/x509-ca.pem
./examples/client.sh -u -v 2 -c ../certs/bc/x509-client.pem -k ../certs/bc/x509-client-key.pem -A ../certs/bc/x509-ca.pem

So I doubt that the problem is with the certs themselves.  Since the client didn't generate the no signer error either in the above, the only other source of the problem is the cert sent by the BC server, but so far, I don't see how that can be...

Any other suggestions?  Is there a way to see the log messages generated by the Client and Server?

Thanks again,
--Hyong

cat examples/certs/bc/x509-ca.pem

-----BEGIN CERTIFICATE-----
MIIDZzCCAh+gAwIBAgIEUqKcyzANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDExhC
b3VuY3lDYXN0bGUgVExTIFRlc3QgQ0EwHhcNMTMxMjA3MDM1ODAzWhcNMzMxMjAy
MDM1ODAzWjAjMSEwHwYDVQQDExhCb3VuY3lDYXN0bGUgVExTIFRlc3QgQ0EwggFS
MA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQDMhzecH5G7Hux5I8B4ftDYKQfB
EpGBlFB2Yvbn3JIbtEpnY3utJokWGdbTY5oXn8amSRZFP9ZJlBDPrAyop//UfuJ0
A1n2wDiFHUcPMc1Dg67uH44fGib59tnOV4a0w4xF18FVgPH++2Vy/ZY/VjSAIfMd
U3nznh1p744dsEjTqj4euJjcy9CCvpW7A0i0ZuXztkkNZvcVnskCrvuHKshAZoPo
dtIW1G66evZQCGQIJHLyASAifQFe1c8VlJ8U4Z5zQeJe26DjMRF5IrYJWl43IFYr
DfFC4x+9EnVKdE2g95D9mTkWAwX8/y5eWzPBj7uauLdc36CPfJcn6Q0shGxMbn+O
j2/mrF8cq9hXBe0cuRLH8F7k6wGxzVzx4wizMysCKJoXYVnEw9AP3uSZqXNDAgMB
AAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4E
FgQU9mOvr6Pi7+4O5bKxRihqeCkyHukwDQYJKoZIhvcNAQELBQADggExAKyMiFmj
YxzjXpQBD5dvRI7xZn79vH3lo13XRBXj/sbPXDXWIv21iLfutXn/RGGsq8piPXHG
5UY3cpZR6gOq6QO1dJ91K0ViAJBFQdkhhtfbhqGY4jvj0vGO6zenG/WrjH26nCT7
8S4L6ZoF6Y0EfQXluP50vEitTaZ6x/rung9h2JQ8rYKiRRVCA+tgBWK/CNhQ9LXy
k3GU0mKLik0AkEFS17C0NWePIPEs/Kxv9iTEFacAN9wVHjZcMYnYtWaPNX0LWV8s
2V2DMJxrmgCEcoXgJxlyEmvyqwpjB+2AiIQVIuWcwPqgBQoKHThT2zJcXV+bMhMs
6cGvaIdvPxttduQsP349GcmUIlV6zFJq+HcMjfa8hZNIkuGBpUzdRQnu1+vYTkwz
eVOPEIBZLzg9e2k=
-----END CERTIFICATE-----

Share

Re: Help with err = -188, ASN no signer to confirm failure

Hi,

Indeed, the BC server was sending a bad ca certificate to the wolfssl jni client, and that was causing the no signer error (the error is mine made during a previous test).

Now, with the server sending the correct cert, I ran into a different issue.  During the handshake, in response to the initial  "client_hello", the server sends "server_hello," "certificate", "server_key_exchange," "certificate_request", and "server_hello_done."  Then the server receives from the client another "client_hello" message, at which point the server quits the handshake.

Is this a correct client behavior?  It seems the BC server is implementing a different handshake protocol than the client...

Thanks again,
--Hyong

Share

Re: Help with err = -188, ASN no signer to confirm failure

Hi hyongsop,

Any other suggestions?  Is there a way to see the log messages generated by the Client and Server?

Yes you can configure wolfssl with the same configure options as before and add

--enable-debug

Then the JNI client will dump out a debug log to the command line console when run. Could you send that?

Also another suggestion would be, if you can capture a wireshark trace of the connection, please attach and send a pcap of that connection. If the pcap will not attach to the blog post you can email to me directly kaleb@wolfssl.com


Is this a correct client behavior?  It seems the BC server is implementing a different handshake protocol than the client...

If there was no application data and the client simply started over then no this is not correct behavior. If session resumption is on and the server finished it's connection "test" and then hung up, the client might have tried to resume the session and then failed, it's difficult to speculate without a wireshark trace to confirm which case though.

Regards,

Kaleb