Topic: Problem with wolfSSL - CA parse failed

Hello All:

I have wolfSSL working fine with the Atmel Zero touch AWS kit (http://www.atmel.com/applications/iot/a … b=overview). It has WINC1500 WiFi and CryptoAuthentication chip ATECC508.

Now, I'm trying to port it to my hardware with different network (ethernet) and I'm getting following error which I'm not sure if it's related to a network problem or something else.... I'm using the same Crypto chip that was provisioned in the other hardware so that should be Ok. But is seems it' has problem adding the CA certificate... I see the log shows a connection problem but I think it's part of the previous error, as I can see the connection with the host happens, although there is no Client HELLO message after that.

Here is the log I have;

wolfSSL Entering WOLFSSL_CTX_new
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering wolfSSL_CTX_load_verify_buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return -150
wolfSSL error occurred, error = -150
CA Parse failed, with progress in file.
Search for other certs in file
ERROR: aws_client_net_tls_cb L#355 Failed to set root cert!
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup
ERROR: aws_client_init_mqtt_client L#122 Error(7) : Failed to connect to Host!

What is this error exactly? Is this related with CA certificate? I would appreciate any help.

Thanks
Gus

Share

Re: Problem with wolfSSL - CA parse failed

I have to set the Date/Time as the error indicates the CA cert is expired.

Thanks

Share

Re: Problem with wolfSSL - CA parse failed

Hi gussabina,

Thanks for the update it looks like you were able to resolve the -150, ASN_BEFORE_DATE_E issue by updating the device clock. As you had asked, the -150 stands for ASN_BEFORE_DATE_E (E short for error).

You can find a list of our error codes in <wolf-root>/wolfssl/wolfcrypt/error-crypt.h where the error falls between -100 and -300.
Any error code less than -300 would be an SSL/TLS level error and can be found in <wolf-root>/wolfssl/error-ssl.h


Best Regards,

Kaleb

Re: Problem with wolfSSL - CA parse failed

Hello Kaleb:

Many thanks for your support. I'm advancing a little bit but I'm still struggling to connect to AWS with mutual authentication. :-(

I revised the networking layers and now everything seems to be Ok; I send and receive all information (I was able to setup wireshark with a mirroring port so I can see what's is going on in the embedded device - ethernet interface).

So now, I have problems processing the SERVER_HELLO answer; it seems it's not able to verify certificate signature... Here is the log;

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Failed to verify CA from chain
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
No CA signer to verify with
Failed to verify Peer's cert
        No callback override available, fatal
wolfSSL Leaving DoHandShakeMsgType(), return -188
wolfSSL Leaving DoHandShakeMsg(), return -188
wolfSSL error occurred, error = -188
ERROR: aws_client_mqtt_connect L#193 Error(8) : Failed to TLS connect!

wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
Shrinking input buffer

wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup
ERROR: aws_client_init_mqtt_client L#122 Error(7) : Failed to connect to Host!

(Note: I can attach the complete log - with certificates and public keys if necessary...).

Could you please tell me what is wrong? Since I got all this code from a working example (with different processor), I would assume all certificates would be in place.

I would really appreciate your help.

Thanks
Gus

Share

Re: Problem with wolfSSL - CA parse failed

Hi gussabina,

Good deal, you are nearly there. To solve this issue please use the API

wolfSSL_CTX_load_verify_(locations/buffer)

prior to calling wolfSSL_new(ctx); to create the ssl object.

The certificate that is loaded with that API MUST be AT A MINIMUM the CA ROOT that signed the servers certificate.

FOR EXAMPLE:

If I got to aws.amazon.com and look at the certificate chain that was sent to my browser I see:

Starfield Services Root Certificate Authority - G2
    Amazon Root CA 1
        Amazon
            aws.amazon.com

So at a minimum if I was connecting to that domain with a wolfSSL client and doing peer auth I would need to load the "Starfield Services Root Certificate Authority - G2" with wolfSSL_CTX_load_verify_locations (or optionally place that cert in a buffer and load with wolfSSL_CTX_load_verify_buffer)

You can get a copy of that cert in either pem or der format from the amazon trust services repo here: https://www.amazontrust.com/repository/

This IS NOT necessarily the certificate you will need as your amazon instance might have a different ROOT CA signer. Please check YOUR amazon web service domain and ROOT CA. This was an example of how you might go about locating that.


Warm Regards,

Kaleb

6 (edited by gussabina 2017-08-02 15:20:03)

Re: Problem with wolfSSL - CA parse failed

Hello Kaleb:

The is only one place in code where that function is called and it seems to be Ok (no errors seen in the log);

       /* Since AWS IoT server was signed by the VeriSign root CA, this root CA certificate should be loaded to WolfSSL to verify AWS
                        ioT.   */
       ret = wolfSSL_CTX_load_verify_buffer(kit->tls.context, AWS_IOT_ROOT_CERT, sizeof(AWS_IOT_ROOT_CERT),
                                  SSL_FILETYPE_PEM);
       if (ret != SSL_SUCCESS) {
        AWS_ERROR("Failed to set root cert!");
        break;
       }

I ckecked the AWS_IOT_ROOT_CERT is defined (I copied from the working example)

I'm confused as it seems the CA is processed twice; before sending the CLIENT_HELLO and after receiving the SERVER_HELLO. Is this the case?

The first time seems to be Ok, according the log;

wolfSSL Entering wolfSSL_Init
wolfSSL Entering WOLFSSL_CTX_new
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering wolfSSL_CTX_load_verify_buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK

wolfSSL Entering wolfSSL_CTX_use_certificate_chain_buffer
wolfSSL Entering PemToDer
Growing Tmp Chain Buffer
Processing Cert Chain
wolfSSL Entering PemToDer
   Consumed another Cert in Chain
Finished Processing Cert Chain

But the second time is when it fails;

processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Failed to verify CA from chain
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
No CA signer to verify with
Failed to verify Peer's cert
        No callback override available, fatal

wolfSSL Leaving DoHandShakeMsgType(), return -188
wolfSSL Leaving DoHandShakeMsg(), return -188
wolfSSL error occurred, error = -188
ERROR: aws_client_mqtt_connect L#193 Error(8) : Failed to TLS connect!

However, the CA is loaded only once at the beginning...
Am' I missing something? My background is not good at this point...

Thanks
Gus

Share

Re: Problem with wolfSSL - CA parse failed

Hi gussabina,

You can call that API many times. Each call will append a new cert for verification. Then when connecting to an entity that sends a certificate wolfSSL will iterate over ALL the certs that have been loaded in "verify locations". If it finds one that can validate the entity then everything continues as expected. If the entity can not be validate with any of the loaded verify certs then -188 ASN NO SIGNER error will be returned as you see in your case.

Obviously the cert currently being loaded is not capable of verifying the cert sent by the server. Please double check the domain you are connecting to and the certificate that signed that domains cert. Load that CA ALSO or ONLY. The one currently being loaded is NOT able to validate the domain in question.


Warm Regards,

Kaleb