1 (edited by rpzrpzrpz 2012-11-15 16:35:55)

Topic: wolfSSL embedded SSL 2.4.0 ASN sig error -155 Error

Ok.  Based on an earlier post from team wolfSSL, I built the example client and used it against mikestoolbox-DOT-org

Client was built on Visual Studio 2008. wolfSSL 2.4.0 (downloaded today) on Windows XP Sp3.

Google also FAILS.

What wolfSSL cannot do is actually verify a secure web site based on the DEBUG_WOLF
dumps that I included below.  It always throws -155 Error

############mikestoolbox-DOT-org##################

F:\download\wolfssl-2.4.0\Debug>client.exe -h 24.234.114.35 -p 443
wolfSSL Entering WOLF_CTX_new
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_CTX_set_default_passwd_cb
wolfSSL Entering wolfSSL_CTX_use_certificate_file
Getting dynamic buffer
Checking cert signature type
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
Not ECDSA cert signature
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering GetMyVersion
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
        Extension type not handled, skipping
        Extension type not handled, skipping
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Couldn't find PEM header
We got one good PEM file so stuff at end ok
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Leaving SSL_set_fd, return 1
wolfSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
        found optional critical flag, moving past
wolfSSL Entering DecodeBasicCaConstraint
        found optional critical flag, moving past
        Extension type not handled, skipping
        Extension type not handled, skipping
wolfSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
Veriying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
        found optional critical flag, moving past
        Extension type not handled, skipping
        Extension type not handled, skipping
wolfSSL Entering DecodeAltNames
        Not DNS type
        Extension type not handled, skipping
        Extension type not handled, skipping
        Extension type not handled, skipping
wolfSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify Peer's cert
        No callback override availalbe, fatal
wolfSSL Leaving DoHandShakeMsgType(), return -155
wolfSSL Leaving DoHandShakeMsg(), return -155
wolfSSL error occured, error = -155
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -155
wolfSSL Entering ERR_error_string
err = -155, ASN sig error, confirm failure
wolfssl error: SSL_connect failed

############google-DOT-com##################

F:\download\wolfssl-2.4.0\Debug>ping google-DOT-com

Pinging google-DOT-com [173.194.37.80] with 32 bytes of data:

Reply from 173.194.37.80: bytes=32 time=85ms TTL=53
Reply from 173.194.37.80: bytes=32 time=87ms TTL=53
Reply from 173.194.37.80: bytes=32 time=87ms TTL=53
Reply from 173.194.37.80: bytes=32 time=87ms TTL=53

Ping statistics for 173.194.37.80:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 85ms, Maximum = 87ms, Average = 86ms

F:\download\wolfssl-2.4.0\Debug>client.exe -h 173.194.37.80 -p 443
wolfSSL Entering WOLFSSL_CTX_new
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_CTX_set_default_passwd_cb
wolfSSL Entering wolfSSL_CTX_use_certificate_file
Getting dynamic buffer
Checking cert signature type
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
Not ECDSA cert signature
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering GetMyVersion
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
        Extension type not handled, skipping
        Extension type not handled, skipping
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Couldn't find PEM header
We got one good PEM file so stuff at end ok
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Leaving SSL_set_fd, return 1
wolfSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
        found optional critical flag, moving past
wolfSSL Entering DecodeBasicCaConstraint
        Extension type not handled, skipping
        Extension type not handled, skipping
wolfSSL Entering DecodeAltNames
        Not DNS type
        Extension type not handled, skipping
wolfSSL Entering DecodeCrlDist
        Extension type not handled, skipping
wolfSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
Veriying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
        found optional critical flag, moving past
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeCrlDist
        Extension type not handled, skipping
        There are more Authority Information Access records, but we only use fir
st one.
wolfSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify Peer's cert
        No callback override availalbe, fatal
wolfSSL Leaving DoHandShakeMsgType(), return -155
wolfSSL Leaving DoHandShakeMsg(), return -155
wolfSSL error occured, error = -155
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -155
wolfSSL Entering ERR_error_string
err = -155, ASN sig error, confirm failure
wolfSSL error: SSL_connect failed

Last edited by rpzrpzrpz (2012-11-15 16:35:55)

Share

Re: wolfSSL embedded SSL 2.4.0 ASN sig error -155 Error

Hi,

You are seeing the -155 (ASN sig error) because the wolfSSL client doesn't have the correct CA certificates loaded to correctly verify the peer (mikestoolbox.org, google.com).  By default, the wolfSSL client application loads our wolfSSL test certificates - which won't work to verify external certificates not signed by the wolfSSL test CA cert.  You can do one of two things to resolve this problem:

1)  Turn off peer verification when running the example client by adding the "-d" option.  For example:

./examples/client/client -h mikestoolbox.org -p 443 -d

2)  Load the correct CA certificate that is able to verify the server's certificate using the "-A" option.  For example:

./examples/client/client -h mikestoolbox.org -p 443 -A mikesCA.pem

Usually you can download the root CA certificate which has signed a server certificate from a browser such as Firefox.  I was able to download the CA certificate for mikestoolbox.org in PEM format through Firefox, which I have attached to this post.

Another thing to keep in mind when connecting to a website with the example wolfSSL client is that you can tell the client to send a simple GET request as well.  You can do this by adding the "-g" option to the client.  For example:

./examples/client/client -h mikestoolbox.org -p 443 -d -g

To see a full list of command line options available for the wolfSSL client example, use the "--help" command line option:

./examples/client/client --help

Best Regards,
Chris

3 (edited by rpzrpzrpz 2012-11-15 21:32:49)

Re: wolfSSL embedded SSL 2.4.0 ASN sig error -155 Error

Continued elsewhere....

Share

Re: wolfSSL embedded SSL 2.4.0 ASN sig error -155 Error

I've faced also this problem. If you have anything more to share from "private discussions", please let the big crowd see...

I'd like to see very simple info, how the peer check should be implemented. What cert from the chain, where... etc

D:\projects\wolfssl-2.4.0>.\Release\client -g -v 0 -h www.google.com -p
443 -A .\certs\EquifaxSecureCA.crt
err = -155, ASN sig error, confirm failure
wolfssl error: SSL_connect failed

Share

Re: wolfSSL embedded SSL 2.4.0 ASN sig error -155 Error

Hi hasa,

It looks like you may be using the wrong CA certificate for www.google.com. The cert chain for www.google.com looks like:

VeriSign Class 3 Public Primary Certification Authority
     Thawte SGC CA
          www.google.com

I was able to verify that the most current wolfSSL example client could connect to www.google.com using the attached CA file (downloaded directly from the VeriSign website, here: http://www.verisign.com/support/roots.html).  Can you see if this certificate works for you?

Thanks,
Chris

Post's attachments

PCA-3.pem 846 b, 4 downloads since 2012-11-20 

You don't have the permssions to download the attachments of this post.