Topic: aws cert error -188 Certificate Policy extension not supported yet
Hi
I have downloaded the example for arduino and trying to connect to AWS based on the certs generated from it. I have added my certs to exampla:
byte rootCA[] PROGMEM = R"(
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
)";
byte clientKey[] PROGMEM = R"(
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
)";
byte clientCa[] PROGMEM = R"(
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
)";
method = wolfTLSv1_2_client_method();
ret = wolfSSL_CTX_use_certificate_buffer(ctx,
clientCa,
sizeof(clientCa),
SSL_FILETYPE_PEM);
ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx,
clientKey,
sizeof(clientKey),
SSL_FILETYPE_PEM);
ret = wolfSSL_CTX_load_verify_buffer(ctx,
rootCA,
sizeof(rootCA),
SSL_FILETYPE_PEM);
I run the programme and get the logs and an error -188 with the description not yet supported:
19:49:54
1720468194
Waiting for time to be set...
WOLFSSL_USER_SETTINGS_ID: Arduino user_settings.h v5.7.0
wolfSSL server code disabled to save space.
wolfSSL Debugging is On!
WARNING: Unknown or no TLS session cache setting.
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
Successfully called wolfSSL_Init
Here we go!
wolfSSL Entering TLSv1_2_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
heap param is null
DYNAMIC_TYPE_CERT_MANAGER Allocating = 100 bytes
wolfSSL Leaving wolfSSL_CTX_new_ex, return 0
Initializing certificates...
show_memory() not implemented for this platform
wolfSSL Entering wolfSSL_CTX_set_verify
Initializing certificates...
wolfSSL Entering wolfSSL_CTX_use_certificate_buffer
wolfSSL Entering PemToDer
Checking cert signature type
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
Not ECDSA cert signature
wolfSSL Leaving wolfSSL_CTX_use_certificate_buffer, return 1
Success: use certificate: server_cert_der_2048
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_buffer
wolfSSL Entering PemToDer
wolfSSL Leaving wolfSSL_CTX_use_PrivateKey_buffer, return 1
Success: use private key buffer: server_key_der_2048
wolfSSL Entering wolfSSL_CTX_load_verify_buffer_ex
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
Parsed new CA
Freeing Parsed CA
Freeing der CA
OK Freeing der CA
wolfSSL Leaving AddCA, return 0
Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Leaving wolfSSL_CTX_load_verify_buffer_ex, return 1
Success: load_verify CTX_CA_CERT
Completed Arduino setup!
try mqtt
------------------- connect--------------------
Connected!
wolfSSL Entering wolfSSL_Init
Success: calling wolfSSL_Init
show_memory() not implemented for this platform
Calling ssl = wolfSSL_new(ctx)
wolfSSL Entering wolfSSL_new
wolfSSL Entering ReinitSSL
RNG_HEALTH_TEST_CHECK_SIZE = 128
sizeof(seedB_data) = 128
wolfSSL Entering SetSSL_CTX
wolfSSL Entering wolfSSL_NewSession
InitSSL done. return 0 (success)
wolfSSL_new InitSSL success
wolfSSL Leaving wolfSSL_new InitSSL =, return 0
wolfSSL Entering wolfSSL_get_error
wolfSSL Leaving wolfSSL_get_error, return 0
Success: ssl object.
wolfSSL_connect ...
TLS 1.2 or lower
wolfSSL Entering wolfSSL_connect
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
wolfSSL Entering SendClientHello
Adding signature algorithms extension
growing output buffer
Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
Shrinking output buffer
wolfSSL Leaving SendClientHello, return 0
connect state: CLIENT_HELLO_SENT
Server state up to needed state.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering DoServerHello
Point Formats extension received
wolfSSL Entering wolfSSL_get_options
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoServerHello, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering DoCertificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
Put another cert into chain
Put another cert into chain
Put another cert into chain
Put another cert into chain
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
No CA signer to verify with
Failed to verify CA from chain
wolfSSL error occurred, error = -188
wolfSSL Entering SendAlert
wolfSSL Entering SendAlert
SendAlert: 48 unknown_ca
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendAlert, return 0
wolfSSL Leaving ProcessPeerCerts, return -188
wolfSSL Leaving DoCertificate, return -188
wolfSSL Leaving DoHandShakeMsgType(), return -188
wolfSSL Leaving DoHandShakeMsg(), return -188
wolfSSL error occurred, error = -188
wolfSSL error occurred, error = -188
wolfSSL_connect return result =-1
Failed connection, checking error.
wolfSSL Entering wolfSSL_get_error
wolfSSL Leaving wolfSSL_get_error, return -188
wolfSSL Entering wolfSSL_ERR_error_string
WOLFSSL Error: -188; ASN no signer error to confirm failure
err =-188
Connected!
SSL version is wolfSSL Entering wolfSSL_get_version
TLSv1.2
wolfSSL Entering wolfSSL_get_cipher
wolfSSL Entering wolfSSL_get_current_cipher
wolfSSL Entering wolfSSL_CIPHER_get_name
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
---------ERROR--------
connect failed
disconnect
I came across information on the forum that error -188 is related to a wrongly uploaded certificate, but to be honest I don't know how it can be wrongly uploaded, 3 certificates and 3 functions. The certificates work and are correct because the authentication passes if I use WiFiSecureClient on the same certs (mbedtle based solution). I am also puzzled by the error above:
Certificate Policy extension not supported yet.
No CA signer to verify with
Failed to verify CA from chain
wolfSSL error occurred, error = -188
What am I doing wrong, the only modification from exampl is certy
many thanks for your help