Topic: error = -188, ASN no signer error to confirm failure

Hi!
I've been trying to run an HTTPS client PoC on linux. First my own code, then the wolfSSL example (https://github.com/wolfSSL/wolfssl-exam … ient-tls.c). I had the same message error with both (error = -188, ASN no signer error to confirm failure).

I read a couple of posts about that, and it looks like a certificate validation issue. I tried using

wolfSSL_CTX_use_certificate_chain_file()

and

wolfSSL_CTX_load_verify_locations() 

, using the CA Root from the websites I've been using as example (wolfssl.com, google.com etc) but with no success.

Let's say I want to connect to google.com, which is the exact pem file I must use in those functions?

Thanks in advance!

Share

Re: error = -188, ASN no signer error to confirm failure

Hi msorage,

This return code indicates that you do not have a root certificate that chains up to the certificate provided by the server. You can use your browser to go to any site, look up the security settings for that site and from there get the root certificate that chains up to it held by your browser.

I hope this helps!!
Warm regards, Anthony

Share

Re: error = -188, ASN no signer error to confirm failure

Hi Anthony, thank you for the answer!

I tried with those certs you mentioned, from my browser. First wolfSSL_CTX_load_verify_locations()  with the server cert, then wolfSSL_CTX_use_certificate_chain_file() with the chain certs. Using the latter, I tried just de root cert as well, but got the same result sad

Regards,
msorage

Share

Re: error = -188, ASN no signer error to confirm failure

Hi msorage,

Thanks for trying this out.  I guess we're going to need more information.  Can you start by turning on logging? Build with --enable-debug and call wolfSSL_Debugging_ON() at the beginning of your application.

Warm regards, Anthony

Share

Re: error = -188, ASN no signer error to confirm failure

Done!

$ ./wolf_client www.wolfssl.com 443             
Remote address is: 199.232.114.137 https
Creating socket...
Connecting...
Connected.

ERROR: failed to connect to wolfSSL
error = -188, ASN no signer error to confirm failure 
➜  ssl_test ./wolf_client www.wolfssl.com 443
Remote address is: 199.232.114.137 https
Creating socket...
Connecting...
Connected.

ERROR: failed to connect to wolfSSL
error = -188, ASN no signer error to confirm failure 
➜  ssl_test gcc wolf_client.c -o wolf_client -lm -lwolfssl
➜  ssl_test gcc wolf_client.c -o wolf_client -lm -lwolfssl
➜  ssl_test ./wolf_client www.wolfssl.com 443             
Remote address is: 199.232.114.137 https
Creating socket...
Connecting...
Connected.

wolfSSL Entering SSLv23_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL_CTX_load_verify_locations_ex
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
wolfSSL Entering SSL_connect()
wolfSSL Entering SendTls13ClientHello
Adding signature algorithms extension
Adding supported versions extension
wolfSSL Entering EccMakeKey
wolfSSL Leaving EccMakeKey, return 0
growing output buffer
Key Share extension to write
Supported Versions extension to write
Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
Encrypt-Then-Mac extension to write
EMS extension to write
Shrinking output buffer
wolfSSL Leaving SendTls13ClientHello, return 0
connect state: CLIENT_HELLO_SENT
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing server hello
wolfSSL Entering DoTls13ServerHello
Supported Versions extension received
Skipping Supported Versions - already processed
Key Share extension received
wolfSSL Entering EccSharedSecret
wolfSSL Entering wc_ecc_shared_secret_gen_sync
wolfSSL Leaving wc_ecc_shared_secret_gen_sync, return 0
wolfSSL Leaving wc_ecc_shared_secret_ex, return 0
wolfSSL Leaving EccSharedSecret, return 0
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoTls13ServerHello, return 0
Shrinking input buffer
Derive Early Secret
Derive Handshake Secret
Derive Client Handshake Secret
Derive Server Handshake Secret
Derive Client Key
Derive Server Key
Derive Client IV
Derive Server IV
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg(), return 0
wolfSSL Entering wolfSSL_connect_TLSv13()
connect state: HELLO_AGAIN
connect state: HELLO_AGAIN_REPLY
growing input buffer
wolfSSL Entering DecryptTls13
received record layer msg
got HANDSHAKE
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing encrypted extensions
wolfSSL Entering DoTls13EncryptedExtensions
wolfSSL Leaving DoTls13EncryptedExtensions, return 0
Shrinking input buffer
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg(), return 0
growing input buffer
wolfSSL Entering DecryptTls13
received record layer msg
got HANDSHAKE
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing certificate
wolfSSL Entering DoTls13Certificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
        Put another cert into chain
        Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
No CA signer to verify with
Failed to verify CA from chain
wolfSSL error occurred, error = -188
wolfSSL Entering SendAlert
growing output buffer
wolfSSL Entering BuildMessage
wolfSSL Entering BuildTls13Message
wolfSSL Entering EncryptTls13
wolfSSL Leaving BuildTls13Message, return 0
Shrinking output buffer
wolfSSL Leaving SendAlert, return 0
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
No CA signer to verify with
Failed to verify Peer's cert
        No callback override available, fatal
wolfSSL error occurred, error = -188
wolfSSL Entering SendAlert
wolfSSL Leaving ProcessPeerCerts, return -188
wolfSSL Leaving DoTls13Certificate, return -188
wolfSSL Leaving DoTls13HandShakeMsgType(), return -188
wolfSSL Leaving DoTls13HandShakeMsg(), return -188
wolfSSL error occurred, error = -188
wolfSSL error occurred, error = -188
ERROR: failed to connect to wolfSSL
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -188
wolfSSL Entering ERR_error_string
error = -188, ASN no signer error to confirm failure 
wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
Free'ing client ssl
Shrinking input buffer
wolfSSL Entering ClientSessionToSession
wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup
wolfSSL Entering wolfCrypt_Cleanup

Best regards

Share

Re: error = -188, ASN no signer error to confirm failure

I noticed your address is a numeric IP address.  within the certificate, is that numeric ip address specified?
What names are specified in the certificate?

Share

Re: error = -188, ASN no signer error to confirm failure

Actually, I'm trying to connect to wolfssl.com, but the socket connection is a little different from the examples I found:

struct addrinfo hints;
    memset(&hints, 0, sizeof(hints));
    hints.ai_socktype = SOCK_STREAM;
    struct addrinfo *peer_address;
    if (getaddrinfo(hostname, port, &hints, &peer_address)) {
        fprintf(stderr, "getaddrinfo() failed. (%d)\n", GETSOCKETERRNO());
        return 1;
    }

    printf("Remote address is: ");
    char address_buffer[100];
    char service_buffer[100];
    getnameinfo(peer_address->ai_addr, peer_address->ai_addrlen,
            address_buffer, sizeof(address_buffer),
            service_buffer, sizeof(service_buffer), 
            NI_NUMERICHOST);
    printf("%s %s\n", address_buffer, service_buffer);

I think it's more flexible this way, because I can pass either hostname or IP address to the application.

I got the wolfssl cert from the browser and pass to the function:

if (wolfSSL_CTX_load_verify_locations(ctx, "../certs/www-wolfssl-com.pem", 0) !=
    SSL_SUCCESS) {
        err_sys("Error loading certs/ca-cert.pem");
    }

"certs/ca-cert.pem" is legacy from the example I follow, sorry.

Share

Re: error = -188, ASN no signer error to confirm failure

Hi,

May I ask why you are doing this and what you are trying to achieve?  Is this an academic or hobby project?  We love know what people are doing with wolfSSL.

Have you considered using curl? You can download the source for curl and build it with wolfSSL underneath.  Then you can look at how curl is calling wolfSSL to get a better understanding of what is needed. Or, depending on your needs, curl might be a better fit.

Warm regards, Anthony

Share

Re: error = -188, ASN no signer error to confirm failure

I'm exploring the wolfssl lib on linux first, so I can try on an embedded system later. So curl won't be a option there smile
I know there are many differences between embedded bare metal and linux, but I consider this a first step to my goal. The same issue occurred with https client example I got from wolfssl repository.
I don't have any clue why this is happening. With openssl I manage to run the application sad

Share

Re: error = -188, ASN no signer error to confirm failure

On Linux, this worked for me:

./configure --enable-sys-ca-certs  
make all 
./examples/client/client -h www.wolfssl.com -p 443 --sys-ca-certs 

Warm regards, Anthony

Share

Re: error = -188, ASN no signer error to confirm failure

Hi,
Also, please consider tiny-curl. You can find it at https://www.wolfssl.com/download/

Warm regards, Anthony

Share

Re: error = -188, ASN no signer error to confirm failure

./configure --enable-sys-ca-certs; make all; sudo make install

./examples/client/client -h www.wolfssl.com -p 443 --sys-ca-certs  

wolfSSL_connect error -188, ASN no signer error to confirm failure
wolfSSL error: wolfSSL_connect failed

the exact same error here

Share

Re: error = -188, ASN no signer error to confirm failure

That's odd.  This is my output:

SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL curve name is SECP256R1

This is where we are looking for the certificates:

    "/etc/ssl/certs",                   /* Debian, Ubuntu, Gentoo, others */
    "/etc/pki/ca-trust/source/anchors", /* Fedora, RHEL */
    "/etc/pki/tls/certs"                /* Older RHEL */

What distribution of linux are you using? Can you check the locations specified above to see if there are certificates there?

Warm regards, Anthony

Share

Re: error = -188, ASN no signer error to confirm failure

Hi Anthony.
I'm using Ubuntu 20.04

Yeah! I have those certs here too:

$ ls /etc/ssl/certs | wc -l
254

Best regards,
msorage

Share

Re: error = -188, ASN no signer error to confirm failure

Hi msorage,
I guess you're going to have to try again with --enable-debug to get some more verbose logging since I can't reproduce your issue here. 
Warm regards, anthony

Share

Re: error = -188, ASN no signer error to confirm failure

No problem.
which application do you mean?

Thanks very much!
msorage

Share

Re: error = -188, ASN no signer error to confirm failure

Hi,
Please do this and then send over the logs:

./configure --enable-sys-ca-certs  --enable-debug
make all
./examples/client/client -h www.wolfssl.com -p 443 --sys-ca-certs

Share

Re: error = -188, ASN no signer error to confirm failure

./examples/client/client -h www.wolfssl.com -p 443 --sys-ca-certs
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering TLSv1_2_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_use_certificate_chain_file
Getting dynamic buffer
wolfSSL Entering PemToDer
Checking cert signature type
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Not ECDSA cert signature
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering PemToDer
wolfSSL Entering GetAlgoId
wolfSSL_CTX_load_verify_locations_ex
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
    Unsupported name type, skipping
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL_CTX_load_verify_locations_ex
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeNsCertType
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
wolfSSL Entering SSL_connect()
wolfSSL Entering SendClientHello
Adding signature algorithms extension
growing output buffer
Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
Encrypt-Then-Mac extension to write
EMS extension to write
Shrinking output buffer
wolfSSL Leaving SendClientHello, return 0
connect state: CLIENT_HELLO_SENT
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering DoServerHello
Point Formats extension received
Extended Master Secret extension received
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoServerHello, return 0
Shrinking input buffer
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering DoCertificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
No CA signer to verify with
Failed to verify CA from chain
wolfSSL error occurred, error = -188
wolfSSL Entering SendAlert
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendAlert, return 0
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
No CA signer to verify with
Failed to verify Peer's cert
    No callback override available, fatal
wolfSSL error occurred, error = -188
wolfSSL Entering SendAlert
wolfSSL Leaving ProcessPeerCerts, return -188
wolfSSL Leaving DoCertificate, return -188
wolfSSL Leaving DoHandShakeMsgType(), return -188
wolfSSL Leaving DoHandShakeMsg(), return -188
wolfSSL error occurred, error = -188
wolfSSL error occurred, error = -188
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -188
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -188
wolfSSL Entering ERR_error_string
wolfSSL_connect error -188, ASN no signer error to confirm failure
wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
Free'ing client ssl
Shrinking input buffer
wolfSSL Entering ClientSessionToSession
wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL error: wolfSSL_connect failed

Share

Re: error = -188, ASN no signer error to confirm failure

Hi msorage,

There is some sort of problem here.  Your debug output indicates you only processed 2 certificates. You should have processed all the certificates in the /etc/ssl/certs.

Please use a debugger to figure why that hasn't happened.

Warm regards , Anthony

Share

Re: error = -188, ASN no signer error to confirm failure

I downloaded wolfssl-5.5.4 and tried ./examples/client/client -h www.wolfssl.com -p 443 --sys-ca-certs again.

./examples/client/client -h www.wolfssl.com -p 443 --sys-ca-certs
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL curve name is SECP256R1

but no progress with my code and github example.

Share

Re: error = -188, ASN no signer error to confirm failure

Ok, so you are now having success with our example client. You can now use that as a template to better understand what you need to do.  Since you mentioned embedded, please do consider tiny curl.  It just might fit your use case!

Warm regards, Anthony

Share

22 (edited by johnot 2023-03-16 23:01:52)

Re: error = -188, ASN no signer error to confirm failure

Try this.

Create a callback for the peer verification to bypass the failure. Returning 1 allows the client to accept any certificate, hence bypassing the certificate verification failure.

int wolfssl_verify_cb(int, WOLFSSL_X509_STORE_CTX*)
{
    return 1;
}

void your_function()
{
    // ...
    SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, wolfssl_verify_cb);
    // ...
}

NOTE: From my experience, wolfSSL uses the callback provided through `SSL_CTX_set_verify`, not `SSL_CTX_set_cert_verify_callback`. I haven't dug through the code completely, but those functions set 2 different variables. I believe the CB variable in `SSL_CTX_set_verify` is the one that gets called when the verification fails.

Share