• Registered: 2013-01-08
  • Posts: 2

Topic: wolfSSL embedded SSL is not sending its client certificate

I want to establish a connection between a client using wolfSSL and a server created in NodeJS (using TLS native API - http://nodejs.org/api/tls.html).

It supports TLSv1 + SSLv3.

In the server side I need only to accept clients that has a signed certificate by our own CA certificate.

So I create:

CA Private Key
CA Cert

Client Private Key
Client Cert

Server Private Key
Server Cert

I sign the Client Certificate using the CA Key & Cert and load it into wolfSSL.

In the client I use the following functions to load certificates:

wolfSSL_Init();
        if ( (ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())) == NULL) {
            fprintf(stderr, "wolfSSL_CTX_new error.\n");
            exit(EXIT_FAILURE);
        }

        // wolfSSL_CTX_set_verify(ctx,SSL_VERIFY_NONE,0); <== changing this setting doesn't affect the behavior

        if( (ssl = wolfSSL_new(ctx)) == NULL) {
            fprintf(stderr, "wolfSSL_new error.\n");
            exit(EXIT_FAILURE);
        }

int caStatus= wolfSSL_CTX_load_verify_locations(ctx, "c:\\ca.crt", 0);
int cStatus= wolfSSL_CTX_use_certificate_file(ctx, "c:\\client.crt", SSL_FILETYPE_PEM);
int kStatus= wolfSSL_CTX_use_PrivateKey_file(ctx, "c:\\client.key", SSL_FILETYPE_PEM);

All of these loads successfully and then I verify using: 

int vResult=wolfSSL_CTX_check_private_key(ctx);

And its all okay.. until now.

When I try to connect to the server:

            int lpmkey=wolfSSL_CTX_check_private_key(ctx);
            int rr = wolfSSL_set_fd(ssl, sock);
            int ra = wolfSSL_connect(ssl);
            if (ra != SSL_SUCCESS){
                int ferr=wolfSSL_get_error(ssl,0); // <=== I got the error code -208 (SOCKET_ERROR_E)
                char strerrorr[80];
                wolfSSL_ERR_error_string(ferr,strerrorr); // error state on socket
                exit(EXIT_FAILURE);
            }

I think this happens because the server is strictly expecting a client certificate, and the client never sends it.
On the server side if I don't ask for client certificate (requestCert=false), the negotiation and connection works, but its not validated (cleartextStream.authorized is false).

Just FYI.. heres a snippet of how I start the TLS server:

var options = {
      key: fs.readFileSync('server.key'),
      cert: fs.readFileSync('server.crt'),
      ca: fs.readFileSync('ca.crt'),
      requestCert: true // if I set 'false' here everything works, but without validation
    };
    
    var server = tls.createServer(options, function(cleartextStream) ...

In the server side, I got the following error:

[Error: 140657365727008:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:2528:]

I was debugging wolfSSL library to try to find out this issue.. and I saw that the client never send the certificate to the server.

The server seems that is working well.. if I try to connect to it using CURL, it works and verify everything ok.

~# curl -v -s -k --key client.key --cert client.crt --cacert ca.crt https://localhost

Am I doing something wrong? should I call another function to do this or something like that so the client can send the signed certificate to the server?

Thanks in advance

Share

  • From: Bozeman, MT
  • Registered: 2010-10-20
  • Posts: 650

Re: wolfSSL embedded SSL is not sending its client certificate

Hi zephrax,

Thanks for taking a look at wolfSSL embedded SSL.  If you don't mind me asking, what kind of application are you working on with wolfSSL?

I think the problem may be that you are loading the keys and certificates into wolfSSL after your call to wolfSSL_new().  Can you try switching the order and loading the keys/certs into wolfSSL before you call wolfSSL_new()?  You can find an example wolfSSL client in <wolfssl_root>/examples/client/client.c which may be helpful as a reference.

To test the scenario you were doing, I tried running a test node.js TLS server (code attached, from here: http://docs.nodejitsu.com/articles/cryp … s-module):

node node_server.js

Against our wolfSSL example client (run from the wolfSSL package root directory):

./examples/client/client -h 127.0.0.1 -p 8000

As you can see, my node.js test server was using the following options.  The certs and keys are the wolfSSL test ones located in the <wolfssl_root>/certs directory.

var options = {                                                                 
     key: fs.readFileSync('server-key.pem'),                                     
     cert: fs.readFileSync('server-cert.pem'),                                   
     ca: fs.readFileSync('ca-cert.pem'),                                         
     requestCert: true                                                           
};

This connection was successful, with the wolfSSL embedded SSL client correctly sending its client certificate over to the Node.js server.  Let me know if switching that order helps or not.

Best Regards,
Chris

Post's attachments

node_server.js 704 b, 1 downloads since 2013-01-09 

You don't have the permssions to download the attachments of this post.
https://www.wolfssl.com

chrisc's Website

Share

  • Registered: 2013-01-08
  • Posts: 2

Re: wolfSSL embedded SSL is not sending its client certificate

Hi chrisc, thanks for the response!

I'm working in an application for controlling house lights and another stuff via internet and I don't want unwanted clients controlling that tongue

Finally I made it work loading the required certificates using the following functions:
wolfSSL_CTX_load_verify_locations
wolfSSL_use_certificate_buffer (instead of wolfSSL_CTX_use_certificate_buffer)
wolfSSL_use_PrivateKey_buffer (instead of wolfSSL_CTX_use_PrivateKey_file)

The examples uses the function with CTX prefix, I couldn't make it work.. but using the mentioned functions works well.

Best Regards and thanks a lot!

Share

  • From: Bozeman, MT
  • Registered: 2010-10-20
  • Posts: 650

Re: wolfSSL embedded SSL is not sending its client certificate

Glad to hear you got things working.  That sounds like an interesting project!  When using the wolfSSL_CTX_xxx functions, did you try switching the order of the functions around like I suggested above?

- Chris

https://www.wolfssl.com

chrisc's Website

Share