Topic: Persistent "ASN no signer error to confirm failure" with wolfSSL_write

hello,

im facing an issue with wolfSSL while trying to make a HTTPS GET request. consistently getting the error "ASN no signer error to confirm failure" from wolfSSL_write().

building wolfssl with -DWOLFSSL_SNI=yes (not sure if even need this for what I am experiencing)

trying to converse with googleapis (www. and .com.crt to form its cert file), pulled from here:

> echo | openssl s_client -servername googleapisurl_here -connect googleapisurl_here:443 2>/dev/null | openssl x509 > googleapis.crt

please replace googleapisurl_here with its actual url which i described; its a common one so i thought it would be one to get going.

-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgIRAJC96aYrpkjdCk+xMq0hIgMwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjMwNDI0MTIwMDQzWhcNMjMwNzE3
MTIwMDQyWjAiMSAwHgYDVQQDExd1cGxvYWQudmlkZW8uZ29vZ2xlLmNvbTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABIj1qbVJxqS2SxJoT9hnsvHoSxxOVglUpu/J
fKJgBWEi/JqqTFzEdUJ/l0FLMrX7V+0cFSSW805BkIrnmCEObhCjggPoMIID5DAO
BgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw
ADAdBgNVHQ4EFgQUiQu2matbf7xXp7goSw5S731HwzcwHwYDVR0jBBgwFoAUinR/
r4XN7pXNPZzQ4kYU83E1HScwagYIKwYBBQUHAQEEXjBcMCcGCCsGAQUFBzABhhto
dHRwOi8vb2NzcC5wa2kuZ29vZy9ndHMxYzMwMQYIKwYBBQUHMAKGJWh0dHA6Ly9w
a2kuZ29vZy9yZXBvL2NlcnRzL2d0czFjMy5kZXIwggGYBgNVHREEggGPMIIBi4IX
dXBsb2FkLnZpZGVvLmdvb2dsZS5jb22CFCouY2xpZW50cy5nb29nbGUuY29tghEq
LmRvY3MuZ29vZ2xlLmNvbYISKi5kcml2ZS5nb29nbGUuY29tghMqLmdkYXRhLnlv
dXR1YmUuY29tghAqLmdvb2dsZWFwaXMuY29tghMqLnBob3Rvcy5nb29nbGUuY29t
ghcqLnlvdXR1YmUtM3JkLXBhcnR5LmNvbYIRdXBsb2FkLmdvb2dsZS5jb22CEyou
dXBsb2FkLmdvb2dsZS5jb22CEnVwbG9hZC55b3V0dWJlLmNvbYIUKi51cGxvYWQu
eW91dHViZS5jb22CH3VwbG9hZHMuc3RhZ2UuZ2RhdGEueW91dHViZS5jb22CFWJn
LWNhbGwtZG9uYXRpb24uZ29vZ4IbYmctY2FsbC1kb25hdGlvbi1hbHBoYS5nb29n
ghxiZy1jYWxsLWRvbmF0aW9uLWNhbmFyeS5nb29nghliZy1jYWxsLWRvbmF0aW9u
LWRldi5nb29nMCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYD
VR0fBDUwMzAxoC+gLYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMWMzL3pkQVR0
MEV4X0ZrLmNybDCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB1ALNzdwfhhFD4Y4bW
BancEQlKeS2xZwwLh9zwAw55NqWaAAABh7NaL3sAAAQDAEYwRAIgPJ8i+m5FJHuO
qSoiL1a8MzoUV/by1jPiwqW2CvyvoRMCIB+MrCUaEPZcc4lLvuXxA9Xv55Hy/aiG
f+JfTSRVsH9xAHcArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGH
s1ovkwAABAMASDBGAiEApuSxyx1u9VwzgtjTv8VgVZj7ZkRJcAVV4gasPEUSft4C
IQCdB8CEK35/P8eYk8+EecAYfJ9gzVJLNbUjKJ7iM5kkATANBgkqhkiG9w0BAQsF
AAOCAQEAClH1vHSTcKgN1J643wLbxtddXMKRqQHvXSY5S2tMLtgpbyX5hyxENqtJ
y0I44MdEFwoTjWlLspRG7ThgyVZhbnCRBEk8JVch8ivnu7cS9v9N+7h/VvyH+xxR
x/cCan7Ps9HE8PpEXNMDKe71oyE3I57lwbVTGQXtcuhacDnRulcYws+YUBCLlMWm
pYo4598a4q28Q7CNrqy6Kg4AP1sxNXwSlwsO21TAOOzrYX8Y4jtikmOO+/URUk1G
5cHSI/C+ymoNGG18qV61zMr67/t436VXaFvCfZOJI/H5c7KsU2qtDbvzSZiNUnhO
0LVl/rB0suTw73xhHUhvFcFasB5AAw==
-----END CERTIFICATE-----

I load that in from resources successfully after init.

heres the relevant code snippet, of which i just call test_wolf()

#include <wolfssl/options.h>
#include <wolfssl/ssl.h>
#include <wolfssl/test.h>
#ifdef _WIN32
#   include <Winsock2.h>
#else
#   include <arpa/inet.h>
#endif
#include <errno.h>


#define MAX_SIZE 2048

void test_wolf() {
    int sockfd;
    int ret;
    char buffer[MAX_SIZE];
    const char* domain = "googleapis_url_here"; // please replace with instructions
    const char* port = "443";
    const char* url = "/youtube/v3/search?part=snippet&channelId=UCpVm7bg6pXKo1Pr6k5kxG9A&maxResults=1&key=AIzaSyAg4nh93xKESkGZvv7Ocv2PBBFAM1jyDSs";
    WOLFSSL_CTX* ctx;
    WOLFSSL* ssl;

    struct addrinfo hints, *res;

    memset(&hints, 0, sizeof(hints));
    hints.ai_family = AF_UNSPEC;
    hints.ai_socktype = SOCK_STREAM;

    if (getaddrinfo(domain, port, &hints, &res) != 0) {
        perror("getaddrinfo error");
        return -1;
    }

    sockfd = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
    if (sockfd < 0) {
        perror("socket error");
        return -1;
    }

    if (connect(sockfd, res->ai_addr, res->ai_addrlen) < 0) {
        perror("connect error");
        return -1;
    }

    /// Initialize wolfSSL
    wolfSSL_Debugging_ON();
    wolfSSL_Init();
    //wolfSSL_Debugging_ON(); /// tried before and after
   
    /// Create and initialize WOLFSSL_CTX
    ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());
    if (ctx == NULL) {
        printf("wolfSSL_CTX_new error.\n");
        return -1;
    }
   
    /// tried with and without this
    if (wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, domain, strlen(domain)) != WOLFSSL_SUCCESS) {
        printf("Error setting SNI\n");
        return -1;
    }
   
    /// load in trust cert
    path p = fmt { "trust/{0}.crt", { str(domain) }};
    if (wolfSSL_CTX_load_verify_locations(ctx, p.cs(), null) != SSL_SUCCESS)
        console.fault("trust not found: {0}", { str(p) });
    else
        console.log("loaded trust"); // this runs, i just have a trust/www.googleapis.com.crt
   
    /// Create a WOLFSSL object
    ssl = wolfSSL_new(ctx);
    if (ssl == NULL) {
        printf("wolfSSL_new error.\n");
        return -1;
    }

    /// Associate the file descriptor with the WOLFSSL object
    ret = wolfSSL_set_fd(ssl, sockfd);
    if (ret != SSL_SUCCESS) {
        printf("wolfSSL_set_fd error.\n");
        return -1;
    }

    /// Send HTTPS request
    snprintf(buffer, sizeof(buffer),
             "GET %s HTTP/1.1\r\n"
             "Host: %s\r\n"
             "Connection: close\r\n"
             "\r\n", url, domain);
    printf("requesting url: %s\n", url);
    ret = wolfSSL_write(ssl, buffer, strlen(buffer));
    if (ret <= 0) {
        int err = wolfSSL_get_error(ssl, ret);
        char err_msg[80];
        wolfSSL_ERR_error_string(err, err_msg);
        printf("wolfSSL_write error: %s\n", err_msg);
       
        printf("wolfSSL_write error.\n");
        return -1;
    }

    /// Receive and print HTTPS response
    do {
        memset(buffer, 0, sizeof(buffer));
        ret = wolfSSL_read(ssl, buffer, sizeof(buffer) - 1);
        if (ret > 0) {
            printf("%s", buffer);
        }
    } while (ret > 0);

    /// Cleanup and return
    wolfSSL_free(ssl);
    wolfSSL_CTX_free(ctx);
    wolfSSL_Cleanup();
    close(sockfd);
    freeaddrinfo(res);

    return 0;
}

Share

Re: Persistent "ASN no signer error to confirm failure" with wolfSSL_write

Hi, Kalen,

My name is Anthony Hu and I am a member of the wolfSSL team. Thanks for reaching out to us.

Can I ask, what should I replace  googleapisurl_here  with?

Also, you have a certificate in PEM format. I'm not sure what I'm supposed to do with that. I'm somewhat confused.  Can you please help me by clarifying?


Warm regards, Anthony

Share

3 (edited by kalen 2023-05-11 14:16:25)

Re: Persistent "ASN no signer error to confirm failure" with wolfSSL_write

Hi Anthony,

Since posting I have found and tried their .pem file for GTS Root R1:

-----BEGIN CERTIFICATE-----
MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo
27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w
Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw
TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl
qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH
szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8
Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk
MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p
aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN
VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID
AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb
C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe
QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy
h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4
7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J
ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef
MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/
Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT
6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ
0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm
2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb
bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
-----END CERTIFICATE-----

www.googleapis.com is the name of the domain.  This is the youtube api.

For that I am loading the trust directly from file, and it reports success when loading the .pem file.

I assume the root cert should be all I need here.  It would not let me post links so thats why I had those baffling strings all over.  The forum just doesnt let them through for spam mitigation purposes I suppose.

And bringing it up in Safari or a web browser shows a trusted cert.  The 'domain' on the cert is upload.video.google.com so to me I'm not sure how it does bind as unified one.  This is the youtube api though, so I assume this should work.

I crawled through the x509s referenced and the R1 is referenced at the top from what I see.  did actually try a whole directory of them as taken from the google site here:https://pki.goog/repository/ ... Any help would be appreciated thanks!

Share

4 (edited by kalen 2023-05-11 14:32:04)

Re: Persistent "ASN no signer error to confirm failure" with wolfSSL_write

I should also post in a CMakeSettings.json I use as a supplemental build configuration for WolfSSL.

{
    "configurations": [
      {
        "name": "PythonCompatible",
        "generator": "Ninja",
        "cmakeCommandArgs": "",
        "buildCommandArgs": "",
        "ctestCommandArgs": "",
        "variables": [
          {
            "name": "WOLFSSL_OPENSSLALL",
            "value": "ON"
          },
          {
            "name": "WOLFSSL_TLS13",
            "value": "ON"
          },
          {
            "name": "WOLFSSL_TLSX",
            "value": "ON"
          },
          {
            "name": "WOLFSSL_TLSV10",
            "value": "ON"
          },
          {
            "name": "WOLFSSL_POSTAUTH",
            "value": "ON"
          },
          {
            "name": "WOLFSSL_CERTEXT",
            "value": "ON"
          },
          {
            "name": "WOLFSSL_CERTGEN",
            "value": "ON"
          },
          {
            "name": "WOLFSSL_SCRYPT",
            "value": "ON"
          },
          {
            "name": "CFLAGS",
            "value": "-DHAVE_EX_DATA;-DWOLFSSL_ERROR_CODE_OPENSSL;-DHAVE_SECRET_CALLBACK;-DWOLFSSL_PYTHON;-DWOLFSSL_ALT_NAMES;-DWOLFSSL_SIGNER_DER_CERT"
          }
        ]
      }
    ]
  }

I use an official release commit of:
            "version":  "5.5.4",
            "commit":   "e0e590f126bd7d947ce3dfbea5ea1405bb646374",

I thought it was down to SNI so I am also defining that (WOLFSSL_SNI=yes). Let me know if you would like anymore source or build info.

Kalen

Share

Re: Persistent "ASN no signer error to confirm failure" with wolfSSL_write

Hi Kalen, in order to avoid the filter problems, I suggest opening a support ticket instead.  Can you send a clear report to support@wolfssl.com?

Share