1 (edited by andreas20488 2012-11-28 09:46:40)

Topic: wolfSSL_connect/accept problem!

I have created a client-server model and all steps seems to go fine until when the client calls the function wolfSSL_connect().

First I want to say that on the CLIENT code I do the follow steps without having any error!
############################################################################
        wolfSSL_Init();
    WOLFSSL_CTX* ctx;
   
    /* Create and initialize WOLFSSL_CTX structure */
    if ( (ctx = wolfSSL_CTX_new(wolfTLSv1_client_method())) == NULL){
        print("SSL_CTX_new error.\r\n");
    }

        //ca_cert is an array that has the ca_cert file from the finished_src/echoclient example.  I do not have filesystem
        cert_size= sizeof(ca_cert);

        if (wolfSSL_CTX_load_verify_buffer(ctx,ca_cert,cert_size,1) != SSL_SUCCESS) {
        print("Error loading ./ca-cert.pem, please check the file.\r\n");
    }
       
        WOLFSSL* ssl;
   
    if( (ssl = wolfSSL_new(ctx)) == NULL) {
        print("Unable to create SSL Object\r\n");
    }

         if (wolfSSL_set_fd(ssl, socket_fd) != SSL_SUCCESS)
         print("SSL_set Object failed\r\n");

############################################################################


On the SERVER code I have the follow steps again without having any errors!
############################################################################

       wolfSSL_Init();    // Initialize wolfSSL
       WOLFSSL_CTX* ctx;

       /* Create and initialize WOLFSSL_CTX structure */
    if ( (ctx = wolfSSL_CTX_new(wolfTLSv1_server_method())) == NULL){
        print("SSL_CTX_new error.\r\n");
    }
   
       //Again here ca_cert serv_cert and serv_key are arrays that have the files included in finished_src/echoserver example
       cl_cert_size= sizeof(ca_cert);
       serv_cert_size= sizeof(serv_cert);
       serv_key_size= sizeof(serv_key);

    !!!!!!!HERE I DO NOT UNDERSTAND WHY WE HAVE TO LOAD "ca_sert" ON THE SERVER SIDE!!!!!!!!!!!!
    These will be used to verify the server we connect to */   
    if (wolfSSL_CTX_load_verify_buffer(ctx,ca_cert,cl_cert_size,1) != SSL_SUCCESS) {
        print("Error loading ./ca-cert.pem, please check the file.\r\n");
    }

        /* Load server certificate into WOLFSSL_CTX */
    if (wolfSSL_CTX_use_certificate_buffer(ctx,serv_cert,serv_cert_size,1) != SSL_SUCCESS) {
       print("Error loading ./server-cert.pem, please check the file.\r\n");
       //exit(EXIT_FAILURE);
    }

        if (wolfSSL_CTX_use_PrivateKey_buffer(ctx,serv_key,serv_key_size, SSL_FILETYPE_PEM) != SSL_SUCCESS) {
       printf("Error loading ./server-key.pem, please check the file.\r\n");
       //exit(EXIT_FAILURE);
    }

         WOLFSSL* ssl;

         /* Create WOLFSSL Object */
        if( (ssl = wolfSSL_new(ctx)) == NULL) {
           print("Unable to create SSL object\n");
        }

        if (wolfSSL_set_fd(ssl, fd_current) != SSL_SUCCESS)
                print("SSL_set Object failed\r\n");

############################################################################

Moreover I did not define WOLFSSL_DTLS

On function EmbedReceive I added the following line:
print("RECV_FUNCTION\r\n--------------------\r\nData received : %s  \r\nBytes Received %d\r\n--------------------\r\n",buf,sz);

after

recvd = RECV_FUNCTION(sd, (char *)buf, sz, 0);

so to print the data receive and the bytes received.

On function EmbedSend I added another line for data sent and bytes.

The message that client and server changed during the handshake are as I show below

-------------------CLIENT SIDE-------------------------------###

Trying to establish SSL connection                                                               

1. CONNECT BEGIN SEND CLIENT HELLO                   
SEND_FUNCTION                                                                       
--------------------                                                                         
Data send :áa                                                                           
Bytes Send : 64                                                                           
--------------------
1. CONNECT BEGIN SEND CLIENT HELLO COMPLETED

2. CLIENT HELLO SENT
RECV_FUNCTION
--------------------
Data received :
Bytes Received 5
--------------------
RECV_FUNCTION
--------------------
Data received :
Bytes Received 74
--------------------
Do Hand Shake Msg ret 0
RECV_FUNCTION
--------------------
Data received :
Bytes Received 5
--------------------
RECV_FUNCTION
--------------------
Data received :

Bytes Received 546
--------------------
Do Hand Shake Msg ret -155

FATAL ERROR

SSL_connect failed


----------------------------SERVER SIDE----------------------------------------
Waiting to establish SSL connection

1. ACCEPT BEGIN : CLIENT HELLO
RECV_FUNCTION
--------------------
Data received :
Bytes Received 5
--------------------
RECV_FUNCTION
--------------------
Data received :
Bytes Received 59
--------------------

1. CLIENT HELLO MESSAGE DONE

2. ACCEPT CLIENT HELLO DONE
2. ACCEPT CLIENT HELLO DONE COMPLETED

3. HELLO VERIFY SENT
3. HELLO VERIFY SENT COMPLETED

4. ACCEPT FIRST REPLY DONE
SEND_FUNCTION
--------------------
Data send :áa
Bytes Send : 79
--------------------
4. ACCEPT FIRST REPLY DONE COMPLETED

5. SERVER HELLO SENT
SEND_FUNCTION
--------------------
Data send :áa
Bytes Send : 551
--------------------
5. SERVER HELLO SENT DONE COMPLETED

6. SEND SERVER KEY EXCHANGE
6. SEND SERVER KEY EXCHANGE COMPLETED

7. SEND CERTIFICATE REQUEST
7. SEND CERTIFICATE REQUEST DONE

8. CERTIFICATE REQUEST SENT
SEND_FUNCTION
--------------------
Data send :áa
Bytes Send : 9
--------------------
8. CERTIFICATE REQUEST SENT COMPLETED

9. SERVER HELLO DONE
RECV_FUNCTION
--------------------
Data received :
Bytes Received 5
--------------------
SSL_accept failed

The num error that I get on the client side is -155(ASN_SIG_CONFIRM_E)

and on the server side is -208(SOCKET_ERROR_E).

Any help?

Share

Re: wolfSSL_connect/accept problem!

Hi andreas,

!!!!!!!HERE I DO NOT UNDERSTAND WHY WE HAVE TO LOAD "ca_sert" ON THE SERVER SIDE!!!!!!!!!!!!

A list of CA certificates only need to be loaded on the server side if your server is going to be doing client authentication (mutual authentication).  Since it doesn't look like you're doing client authentication, you should be able to skip loading the ca-cert.pem into the server.

The num error that I get on the client side is -155(ASN_SIG_CONFIRM_E)

This error usually means that the client can't verify the server certificate that it receives, and typically means users have loaded the incorrect CA certificate into the client.  Can you double check that your certificate buffers are correct?

For testing your SSL connection in general (apart from certificate verification problems), you can always temporarily disable verification of the server by calling:

wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); 

from your client code (see ./examples/client/client.c for example usage).  This will disable the client from verifying the server certificate it receives.

Best Regards,
Chris

Re: wolfSSL_connect/accept problem!

The num error that I get on the client side is -155(ASN_SIG_CONFIRM_E)

This error usually means that the client can't verify the server certificate that it receives, and typically means users have loaded the incorrect CA certificate into the client.  Can you double check that your certificate buffers are correct?

As I said I print the data received and data send using the following code in io.c

sent = SEND_FUNCTION(sd, &buf[sz - len], len, 0);
    print("SEND_FUNCTION\r\n--------------------\r\nData send : %s \r\nBytes Send : %d\r\n--------------------\r\n",buf[sz - len],len);

    recvd = RECV_FUNCTION(sd, (char *)buf, sz, 0);
    char old = buf[sz-1];
    buf[sz-1]='\0';
    print("RECV_FUNCTION\r\n--------------------\r\nData received : %s  \r\nBytes Received %d\r\n--------------------\r\n",buf,sz);
    buf[sz-1]=old;

but it prints what I mentioned before.

Where else can I check the buffers send and received?

For testing your SSL connection in general (apart from certificate verification problems), you can always temporarily disable verification of the server by calling:

wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);

from your client code (see ./examples/client/client.c for example usage).  This will disable the client from verifying the server certificate it receives.

Yes but in the real world I want to verify the server certificate right?

Finally can you tell me wich certificates should I load on client and server so to be sure that I load the correct certificates?

Share

Re: wolfSSL_connect/accept problem!

Yes, typically in a real-world application you would want to verify the server certificates.

Which certificates you load will depend on your environment and client/server setup.  If you are using the wolfSSL example client and server examples, you can use our test certificates.  All wolfSSL embedded SSL test certs are located in the <wolfssl_root>/certs directory.  Some of the main ones include:

ca-cert.pem  (CA certificate)
server-cert.pem  (server cert)
client-cert.pem  (client cert)

Best Regards,
Chris

5 (edited by andreas20488 2012-12-04 08:15:16)

Re: wolfSSL_connect/accept problem!

Ok Chris,

One last thing again

As I said I print the data received and data send using the following code in io.c
sent = SEND_FUNCTION(sd, &buf[sz - len], len, 0);
    print("SEND_FUNCTION\r\n--------------------\r\nData send : %s \r\nBytes Send : %d\r\n--------------------\r\n",buf[sz - len],len);
    recvd = RECV_FUNCTION(sd, (char *)buf, sz, 0);
    char old = buf[sz-1];
    buf[sz-1]='\0';
    print("RECV_FUNCTION\r\n--------------------\r\nData received : %s  \r\nBytes Received %d\r\n--------------------\r\n",buf,sz);
    buf[sz-1]=old;
but it prints what I mentioned before.

Where else can I check the buffers send and received?

Moreover what messages I should expect to see printing in each step??

Actually because I have SSL_FILETYPE_PEM I won't understand what it will be printed so I set SSL_FILETYPE_DEFAULT

The problem now is that it wolfSSL_CTX_use_certificate_buffer and wolfSSL_CTX_use_PrivateKey_buffer returns error -4(BAD_FILE) in client and server code).

I double check the certificates and nothing seems to go wrong! I can not understand what else could be go wrong.

Any help?

Share