1

(3 replies, posted in wolfSSL)

John, thank you for your reply.
I used wolfSSL 3.4.6.
Configure was:

./configure C_EXTRA_FLAGS="-DNO_CYASSL_SERVER" --enable-opensslextra --enable-sni --enable-sessioncerts --enable-hc128 --with-ntru=/usr

The same configure but compiled with the latest github sources (3.4.8) it works now.

Thank you again
Greetings
Hans-Juergen Petrich

2

(3 replies, posted in wolfSSL)

Dear Team,

Does wolfSSL have, in this case, any altname check issues?

wget http://www.startssl.com/certs/ca.pem
examples/client/client -p 443 -m -v 1 -A ./ca.pem -h jabber.se

Fails with:

err = -322, peer subject name mismatch
wolfSSL error: SSL_connect failed

While

examples/client/client -p 443 -m -v 1 -A ./ca.pem -h www.jabber.se

Works.

peer's cert info:
issuer : /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
subject: /C=SE/CN=www.jabber.se/emailAddress=postmaster@jabber.se
altname = jabber.se
altname = www.jabber.se
serial number:10:36:d9
SSL version is TLSv1
SSL cipher suite is TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Any ideas why "altname = jabber.se" is being ignored?

Thank you in advance for help
Hans-Juergen Petrich

Hi Todd

In my test:

wget http://www.startssl.com/certs/ca.pem
examples/client/client -h jabber.se -p 443 -v 1 -A ./ca.pem -m

Fails (on my local Windows7 machine) with:

err = -322, peer subject name mismatch
yassl error: SSL_connect failed

While

examples/client/client -h www.jabber.se -p 443 -v 1 -A ./ca.pem -m

Works.

issuer : /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
subject: /C=SE/CN=www.jabber.se/emailAddress=postmaster@jabber.se
altname = jabber.se
altname = www.jabber.se
serial number:10:36:d9

In the (StartSSL) cert, the CN=www.jabber.se and altname=jabber.se... so it should work... should'nt it?

Or did i miss something?

Thank you for your time.
Greetings Hans-Jürgen Petrich


PS: client.exe was compiled on windows7(64bit) with mwing32 with the following ./configure

./configure C_EXTRA_FLAGS="-DFP_MAX_BITS=8192" --host=i386-pc-mingw32 --enable-fastmath --enable-opensslextra --enable-sni --enable-sha512 --enable-sha --enable-aesgcm --enable-aesccm --enable-ecc --enable-sessioncerts --enable-hc128 && make

Thank you John... exakt what i was looking for.
Greetings Hans-Jürgen Petrich :-)

Hallo Todd, thank you for your reply.
Ohh,  i have to check it again (btw: i'm using the Version 3.2.0).
Maybe it's because i have to deal with wildcard* (alt)names in the cert. Does CyaSSL_check_domain_name() support wildcard (alt)names?

Thank you very much für your help.
Best greetings
Hans-Jürgen Petrich

Hallo John,

Are you looking at just the exports from the library?

Yes. The exports (for this functions http://www.yassl.com/yaSSL/Docs-cyassl- … ility.html ) are missing in libwolfssl-5.dll with the above ./configure && make (under Windows)

The build of libwolfssl-5.dll runs otherwise fine. Only the openssl-compatibility (from the above link) functions are not exported from wolfSSL embedded SSL.

Did i miss something in the ./configure parameter maybe?

Thank you and greetings
Hans-Jürgen Petrich

Dear Team

our build is on windows 7 (64bit) via mingw32(bit), configured with:

./configure C_EXTRA_FLAGS="-DFP_MAX_BITS=8192 -DNO_WOLFSSL_SERVER" --host=i386-pc-mingw32 --enable-fastmath --enable-opensslextra --enable-sni

Compiled with no errors but the openssl-compatibility functions (from: http://www.yassl.com/yaSSL/Docs-cyassl- … ility.html ) will not be exported in the libwolfssl-5.dll

All other works fine.

I was looking in the Makefile, and found the -DOPENSSL_EXTRA define flag:

AM_CFLAGS = -DOPENSSL_EXTRA -D_POSIX_THREADS  -DHAVE_THREAD_LS -DNDEBUG  -DHAVE_AESGCM -DHAVE_AESCCM -DWOLFSSL_SHA512 -DWOLFSSL_SHA384 -DNO_DSA -DHAVE_ECC -DTFM_ECC256 -DECC_SHAMIR -DNO_PSK -DNO_DH -DNO_MD4 -DNO_HC128 -DNO_RABBIT -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DUSE_FAST_MATH -Wall -Wno-unused -O2 -fomit-frame-pointer

Any ideas why the openssl-compatibility functions are not available in the dll?

Thank you
Greetings
Hans-Jürgen Petrich

Dear Team

currently CyaSSL_check_domain_name() does not verify altName's in the cert.

It would be great if have a 3th parameter for this, ie:
CyaSSL_check_domain_name(CYASSL* ssl, const char* dn, int checkAltName)
or similar.

Waht do you think?

Thank you for wolfSSL... 100% Top!
Greetings Hans-Jürgen Petrich

Hi Cuzz,
it seems that your case is an other issue.
Did you try loading the proper certificate authority file with -A ?

I did. And it works.
The cert issuer on this SSL/TLS Server is GeoTrust. So i downloaded: http://www.geotrust.com/resources/root_ … bal_CA.pem first.

wget -O ../../certs/GeoTrust_Global_CA.pem http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem
client.exe -h vpn-students.poly.edu -p 443 -v 1 -A certs/GeoTrust_Global_CA.pem

Result:

peer's cert info:
 issuer : /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
 subject: /C=US/ST=New York/L=Brooklyn/O=Polytechnic Institute of New York University/OU=Information Systems/CN=vpn-students.poly.edu
 altname = vpn-students.poly.edu
 serial number:01:82:4c
SSL version is TLSv1
SSL cipher suite is TLS_RSA_WITH_AES_256_CBC_SHA

Should work with your client.exe also.
Greetings Hans-Jürgen

Chris, thank you for your explanation... very interesting.
Building with the latest github source... it works smile

Best greetings... and thank you again for your time
Hans-Jürgen

11

(2 replies, posted in wolfSSL)

Hi Yun,

But I did not find the place in the source code where this information is used for validation.

i think you are looking for:

wolfSSL_check_domain_name()
https://github.com/cyassl/cyassl/blob/m … ent.c#L628

and maybe additional also for:
wolfSSL_CTX_load_verify_locations()
https://github.com/cyassl/cyassl/blob/m … ent.c#L535

Greetings Hans-Jürgen

Hi Chris

i hope i'm not wasting your time... but after additional TLS tests with the mentioned SSL/TLS server i'm, currently, not sure anymore where (and why smile ) i stuck.

I was assuming that the SSL/TLS Server hobana.freenode.net (port 7000) accepting TLSv1 connects only if the client providing a cert.

Because with a client cert it works:

./examples/client/client -h hobana.freenode.net -p 7000 -v 1 -d -c certs/client-cert.pem -k certs/client-key.pem

While without a client cert it does'nt work:

./examples/client/client -h hobana.freenode.net -p 7000 -v 1 -d -x
(err = -213, revcd alert fatal error)

I was double check this then with openssl's client, providing no client cert too and, in wonder, openssl can connect successfully without a client cert:

openssl s_client -connect hobana.freenode.net:7000 -tls1

So now i'm, again, not sure why wolfSSL is unable connecting to hobana.freenode.net (port 7000) with TLSv1 without a client cert while openssl can.

Do you have any idea?

Thank you.
Hans-Jürgen :-)

Hi Chris,
can confirm that. Was, as said, my fault.

Background was:
I had some trouble with an SSL/TLS Server (hobana.freenode.net) [using TLSv1 or SSLv3 protocol] where it is required using a client cert if connecting with TLSv1, but if connecting with SSLv3 the Server does not requiring a cert from the client.

Strange anyhow, or?

I was connecting to the server using wolfSSLv23_client_method()... but did'nt load a cert.

Because wolfSSLv23_client_method() is, of course, using TLSv1 first, the SSL_connect() failed with -1.
But was working with wolfSSLv3_client_method().

I wrongly was thinking then something with wolfSSLv23_client_method() is wrong... but did'nt realize that this Server, only in TLSv1, is requiring a client cert, which i not gave. That why the SSL_connect() failed with an alert.

Was testing it then with cacert.org... and the connect failed also. But the connect failed because default was TLSv1.2 ... which cacert does not support....

But now it's all clear smile

... thank you again for helping, and for wolfSSL embedded SSL!

Greetings
Hans-Jürgen  smile

Ahh, Chris... forget my last post about the wolfSSLv23_client_method()  roll ... i din't see that /examples/client/client not using wolfSSLv23_client_method() as default, but wolfTLSv1_2_client_method() ... which, of course will fail then on cacert.org

But i (still) have a similar problem with wolfSSLv23_client_method() on a SSLv3/TLSv1 Server... have to check it again.

Hi Chris

I Understand. Thank you very much for your explanation. I was guessing similar.
After defined FP_MAX_BITS >= 8192 it works.

Maybe you could mention it in the API doc's somewhere, ie at wolfSSL_CTX_set_verify() and/or in the INSTALL?


Another question... just for understanding:
If i understand it right, wolfSSLv23_client_method() is meant connecting to a SSL/TLS server with the highest possible SSL/TLS protocol, beginning from TLSv1.2 down to TLSv1.1 -> TLSv1 -> SSLv3

I noticed that if a SSL/TLS Server supports (only) SSLv3 and TLSv1 but not TLSv1.1/TLSv1.2 the connect will failed if using wolfSSLv23_client_method(), but will work only when using wolfTLSv1_client_method() or wolfSSLv3_client_method()

For example cacert.org (Supports SSLv3 and/or TLSv1, but not TLSv1.1/TLSv1.2):

using wolfSSLv23_client_method()

./examples/client/client -h www.cacert.org -p 443 -d
err = -226, record layer version error
yassl error: SSL_connect failed

using wolfSSLv3_client_method():

./examples/client/client -h www.cacert.org -p 443 -d -v 0
SSL version is SSLv3

using wolfTLSv1_client_method():

./examples/client/client -h www.cacert.org -p 443 -d -v 1
SSL version is TLSv1

While on a SSLv3, TLSv1, TLSv1.1, TLSv1.2 capable server, like google.com, wolfSSLv23_client_method() works fine, ie:

./examples/client/client -h google.com -p 443 -d
SSL version is TLSv1.2

So my question is, is there maybe a bug in wolfSSLv23_client_method() or is wolfSSLv23_client_method() meant only for SSLv3/TLSv1 servers, using the highest possible SSL/TLS version?

Thank you for your time.
Greetings
Hans-Jürgen

Hi There

It seems that wolfssl has problems verifying some (but not all) CA Certs if compiled with --enable-fastmath (wich is default)

For example:

unzip -q wolfssl-2.7.0.zip
cd wolfssl-2.7.0
./configure
make
wget http://www.cacert.org/certs/root.crt
./examples/client/client -h www.cacert.org -p 443 -v 1 -A root.crt

Result:

err = -188, ASN no signer error to confirm failure
yassl error: SSL_connect failed

If configured with

./configure --disable-fastmath

it works.

Result:

SSL version is TLSv1
SSL cipher suite is TLS_RSA_WITH_AES_256_CBC_SHA

Tested on Win7 x64 [AMD K10] with mingGW and Centos6 x64 [INTEL Xeon E31240] with gcc

Could you help?

(btw: Absolut great product... Thank you very much for it)

Greetings
Hans-Jürgen Petrich