I'm trying to connect to wikipedia.org:443 with OCSP Stapling (NOT V2)
I see the following error log:
wolfSSL Entering WOLFSSL_CTX_new
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_verify
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Connected to wikipedia.org:443!
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Leaving SSL_set_fd, return 1
wolfSSL Entering wolfSSL_CTX_EnableOCSP
wolfSSL Entering wolfSSL_CertManagerEnableOCSP
wolfSSL Entering InitOCSP
wolfSSL Entering wolfSSL_CTX_EnableOCSPStapling
wolfSSL Entering wolfSSL_CertManagerEnableOCSPStapling
wolfSSL Entering InitOCSP
wolfSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
Certificate Status Request extension received
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
Adding CA from chain
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
Verified Peer's cert
wolfSSL Entering InitOcspRequest
----------- date_override_cb -------------
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate status
wolfSSL Entering InitOcspResponse
wolfSSL Entering OcspResponseDecode
wolfSSL Entering GetEnumerated
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicOcspResponse
wolfSSL Entering DecodeResponseData
wolfSSL Entering GetBasicDate
wolfSSL Entering DecodeSingleResponse
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering DecodeOcspRespExtensions
thisDate
    32 30 31 36 30 37 31 33 32 30 33 32 30 31 5a 00 | 20160713203201Z.
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
nextDate
    32 30 31 36 30 37 31 37 32 30 33 32 30 31 5a 00 | 20160717203201Z.
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
growing output buffer

Shrinking output buffer

wolfSSL Leaving DoHandShakeMsgType(), return -406
wolfSSL Leaving DoHandShakeMsg(), return -406
wolfSSL error occurred, error = -406
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -406
wolfSSL Entering ERR_error_string
SSL handshake error: Bad Certificate Status Message Error
wolfSSL Entering SSL_CTX_free
CTX ref count not 0 yet, no free
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup



Upon tracing, I see that it errors out here:
   if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
        return ASN_PARSE_E;


inside DecodeOcspRespExtensions

What is the reason and how do I correct this?

2

(1 replies, posted in wolfSSL)

How do I temporarily ignore all date check errors (ASN_BEFORE/AFTER_DATE_E)
(For cert load, OCSP checking, etc...)

This should be configurable, like, only for a certain handshake, I should be able to ignore all types of date validity errors.

3

(1 replies, posted in wolfSSL)

I am running my SSL client and trying to handshake with reddit.com. I'm using OCSP stapling (NOT V2).
I get the following OCSP confirm signature failed error messsage:

wolfSSL Entering WOLFSSL_CTX_new
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_verify
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Connected to reddit.com:443!
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Leaving SSL_set_fd, return 1
wolfSSL Entering wolfSSL_CTX_EnableOCSP
wolfSSL Entering wolfSSL_CertManagerEnableOCSP
wolfSSL Entering InitOCSP
wolfSSL Entering wolfSSL_CTX_EnableOCSPStapling
wolfSSL Entering wolfSSL_CertManagerEnableOCSPStapling
wolfSSL Entering InitOCSP
wolfSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
Certificate Status Request extension received
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
    There are more CRL Distribution Point records, but we only use the first one.
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
Adding CA from chain
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
    There are more CRL Distribution Point records, but we only use the first one.
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
    There are more CRL Distribution Point records, but we only use the first one.
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
Verified Peer's cert
wolfSSL Entering InitOcspRequest
----------- date_override_cb -------------
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate status
wolfSSL Entering InitOcspResponse
wolfSSL Entering OcspResponseDecode
wolfSSL Entering GetEnumerated
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicOcspResponse
wolfSSL Entering DecodeResponseData
wolfSSL Entering GetBasicDate
wolfSSL Entering DecodeSingleResponse
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    OCSP Confirm signature failed
thisDate
    32 30 31 36 30 37 31 32 31 39 31 38 30 30 5a 00 | 20160712191800Z.
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
nextDate
    32 30 31 36 30 37 31 39 31 38 33 33 30 30 5a 00 | 20160719183300Z.
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
growing output buffer

Shrinking output buffer

wolfSSL Leaving DoHandShakeMsgType(), return -406
wolfSSL Leaving DoHandShakeMsg(), return -406
wolfSSL error occurred, error = -406
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -406
wolfSSL Entering ERR_error_string
SSL handshake error: Bad Certificate Status Message Error
wolfSSL Entering SSL_CTX_free
CTX ref count not 0 yet, no free
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup


I've compiled with:
./configure --enable-tlsx --enable-supportedcurves --disable-fastmath --enable-ocspstapling C_EXTRA_FLAGS="-DWOLFSSL_ALWAYS_VERIFY_CB -DWOLFSSL_STATIC_RSA -DWOLFSSL_STATIC_DH -DWOLFSSL_STATIC_PSK -g1" --enable-debug

I see these similar errors with a bunch of other servers, like wikipedia.org for example.
Why is this happening, and how can I prevent it from happening?

4

(2 replies, posted in wolfSSL)

Based on my understanding of the SSL protocol and the wolfSSL behavior (https://www.wolfssl.com/wolfSSL/Docs-wo … cates.html), it seems that we only need the root CA.

However, at this point, I am guessing that for normal OCSP stapling (not v2), the OCSP response that wolfSSL will receive and verify would pertain to the SSL host it is connecting to. Is this understanding correct?

5

(9 replies, posted in wolfSSL)

Thanks for the reply. Is there any way to override this behavior?

This doesn't quite make sense to me. Isn't the certificate chain updated during the handshake? Would this callback be able to override data errors there??

Also, what about OCSP checks? Does this callback override those, or does it not?

I did a test where I added a date override callback, rolled back my clock, and tried to connect.

About to verify certificate signature
No CA signer to verify with
Failed to verify Peer's cert
    Callback override available, will continue
wolfSSL Entering InitOcspRequest
----------- date_override_cb -------------
wolfSSL Entering ERR_error_string
In verification callback, error = -188, ASN no signer error to confirm failure
Subject's domain name is officeapps.live.com
Cert error is not date error, not overriding
growing output buffer


Now, I know for a fact that I have the right CA cert loaded up, coz when I pull the clock to real time, this works. Looks like the error reporting here is incorrect. I looked at the code, there is indeed, a call to ParseCertRelative, which does a date check...

So it seems like this override callback is not really doing what it claims, or I am doing something wrong. Not sure which is the case.

6

(2 replies, posted in wolfSSL)

I have a few basic questions about wolfSSL

How can it verify a cert chain, if I only specify a CA cert? From where does it get intermediate certs from? (like intermediate CAs)?

Also related to this, assuming I just use OCSP stapling (not V2), and assuming I have a cert chain, does wolfSSL receive and verify an OCSP response for the immediate parent in the chain?

7

(3 replies, posted in wolfSSL)

Hi Chris

Why does this have to be OCSP stapling v2? I tried -W 1 but gives another error:

wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering wolfSSL_CTX_EnableOCSP
wolfSSL Entering wolfSSL_CertManagerEnableOCSP
wolfSSL Entering InitOCSP
wolfSSL Entering SSL_set_fd
wolfSSL Leaving SSL_set_fd, return 1
wolfSSL Entering SSL_connect()
growing output buffer

wolfSSL Entering SetOcspReqExtensions
Shrinking output buffer

connect state: CLIENT_HELLO_SENT
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 40
wolfSSL error occurred, error = -313
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -313
wolfSSL Entering ERR_error_string
err = -313, revcd alert fatal error
wolfSSL error: SSL_connect failed

8

(1 replies, posted in wolfSSL)

I'm testing out some OCSP code with mozilla.org
I've loaded up the Mozilla CA cert (DigiCert_High_Assurance_EV_Root_CA.pem)

Based on what my browser tells me, the chain for mozilla.org looks like:

GTE Cyber Trust Global Root -> Baltimore Cyber Trust Root -> Digi Cert High Assurance Root -> Digi Cert SHA2 Extended Validation Server CA -> mozilla.org

(1) if I try with the GTE root, I get this error msg:
wolfSSL Entering WOLFSSL_CTX_new
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_verify
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Connected to mozilla.org:443!
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Leaving SSL_set_fd, return 1
wolfSSL Entering wolfSSL_CTX_EnableOCSP
wolfSSL Entering wolfSSL_CertManagerEnableOCSP
wolfSSL Entering InitOCSP
wolfSSL Entering wolfSSL_CTX_EnableOCSPStapling
wolfSSL Entering wolfSSL_CertManagerEnableOCSPStapling
wolfSSL Entering InitOCSP
wolfSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
Certificate Status Request extension received
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
    There are more CRL Distribution Point records, but we only use the first one.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
    There are more CRL Distribution Point records, but we only use the first one.
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
No CA signer to verify with
Failed to verify Peer's cert


(2) However, when I place DigiCert as the CA file, I get:

contacting mozilla.org
wolfSSL Entering WOLFSSL_CTX_new
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_verify
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Connected to mozilla.org:443!
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Leaving SSL_set_fd, return 1
wolfSSL Entering wolfSSL_CTX_EnableOCSP
wolfSSL Entering wolfSSL_CertManagerEnableOCSP
wolfSSL Entering InitOCSP
wolfSSL Entering wolfSSL_CTX_EnableOCSPStapling
wolfSSL Entering wolfSSL_CertManagerEnableOCSPStapling
wolfSSL Entering InitOCSP
wolfSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
Certificate Status Request extension received
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
    There are more CRL Distribution Point records, but we only use the first one.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
Adding CA from chain
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
    There are more CRL Distribution Point records, but we only use the first one.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
    There are more CRL Distribution Point records, but we only use the first one.
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
Verified Peer's cert
wolfSSL Entering InitOcspRequest
----------- date_override_cb -------------
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate status
wolfSSL Entering InitOcspResponse
wolfSSL Entering OcspResponseDecode
wolfSSL Entering GetEnumerated
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicOcspResponse
wolfSSL Entering DecodeResponseData
wolfSSL Entering GetBasicDate
wolfSSL Entering DecodeSingleResponse
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    OCSP Confirm signature failed
thisDate
    32 30 31 36 30 37 30 37 30 32 30 31 30 30 5a 00 | 20160707020100Z.
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
nextDate
    32 30 31 36 30 37 31 34 30 31 31 36 30 30 5a 00 | 20160714011600Z.
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
growing output buffer

Shrinking output buffer

wolfSSL Leaving DoHandShakeMsgType(), return -406
wolfSSL Leaving DoHandShakeMsg(), return -406
wolfSSL error occurred, error = -406
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -406
wolfSSL Entering ERR_error_string
SSL handshake error: Bad Certificate Status Message Error
wolfSSL Entering SSL_CTX_free
CTX ref count not 0 yet, no free
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup


Why does this happen? And why does this OCSP signature failed error come in the second case??

9

(9 replies, posted in wolfSSL)

wolfSSL Entering WOLFSSL_CTX_new
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_verify
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return -150
wolfSSL error occurred, error = -150
CA Parse failed, with progress in file.
Search for other certs in file
wolfSSL Entering ERR_error_string
error loading up CA cert: ASN date error, current date before
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup

10

(9 replies, posted in wolfSSL)

OK. Doing it now. I'll post back in a couple minutes!

11

(3 replies, posted in wolfSSL)

I try the foll:

./examples/client/client  -h mozilla.org -p 443 -W  -A DigiCert_High_Assurance_EV_Root_CA.pem
err = -188, ASN no signer error to confirm failure
wolfSSL error: SSL_connect failed


and I get the above error.
When I remove the OCSP stapling part, I get

./examples/client/client  -h mozilla.org -p 443  -A DigiCert_High_Assurance_EV_Root_CA.pem
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Server response: HTTP/1.0 400 Bad request
Content-Type: text/html

<h2>Client sent a bad requ

which seems like it connected fine. Any idea why OCSP is failing

12

(9 replies, posted in wolfSSL)

Thanks for the reply. I tried this code, but I've noticed very strange behavior.

I've placed a call to wolfSSL_CTX_set_verify right before I do a wolfSSL_CTX_load_verify_locations. My VerifyCallback is the same code as the myDateCb.

Then I set the clock on my system to the start of the epoch (Jan 1, 1970) and then I run my code. I get an error message saying ASN date error, current date before. I also see that my VerifyCallback is not even called (I simply have a printf printing whenever it is called)

When I set my clock to correct date and time, I do see that the VerifyCallback is getting called. Why this strange behavior?

    wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, date_override_cb);

    //Load up CA certs
    if ((err = wolfSSL_CTX_load_verify_locations(ctx, NULL, capath)) != SSL_SUCCESS) {
      logsslerror(err, "error loading up CA cert");
    }

13

(9 replies, posted in wolfSSL)

I only want to disable the date/time checking in cert validation (server cert, ocsp certs etc). Is this possible? I don't want to disable it in general for the library, but only for a particular client using the library. Is there some API I can call to do this? Or some combination of APIs?

14

(14 replies, posted in wolfSSL)

Updates. After debugging the code, I've boiled it down to CertStatus.thisDate and .nextDate

I edited code in wolfcrypt/src/asn.c (DecodeSingleResponse) and I was able to dump the thisDate and nextDate buffers. But how do I access this stuff from a normal program using the wolfSSL API? Is this supported or not?

15

(14 replies, posted in wolfSSL)

Keep in mind that this is OCSP stapling. The client should not go and contact some OCSP responder on its own. It should expect an OCSP response as part of the handshake. My goal is to retrieve the OCSP response data once a handshake is sucessful, and once the library has verified the OCSP response to be legitimate. Am I using the right functions here?

16

(14 replies, posted in wolfSSL)

The CB is not getting called. This is what I have:

int ocspCb(void *a, const char* url, int urlSz, unsigned char *req, int reqSz, unsigned char **resp)
{
  int retVal = EmbedOcspLookup(a, url, urlSz, req, reqSz, resp);
  printf("resp: %s\n", *resp);

  return retVal;
}

void ocspRespFree(void *a, unsigned char *b)
{
  EmbedOcspRespFree(a, b);
}


if((use_ocsp = wolfSSL_CTX_UseOCSPStapling(ctx, WOLFSSL_CSR_OCSP, 0)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "OCSP Error");

            if((use_ocsp = wolfSSL_CTX_EnableOCSP(ctx, 0)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "CTX_EnableOCSP error");

            if((use_ocsp = wolfSSL_CTX_EnableOCSPStapling(ctx)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "CTX_EnableOCSPStapling error");

            if((use_ocsp = wolfSSL_CTX_SetOCSP_Cb(ctx, ocspCb, ocspRespFree, NULL)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "OCSP CB Error");

            if (wolfSSL_connect_ex(ssl, handShakeCB, timeoutCB, timeout) == SSL_SUCCESS)
            {
              printf("%s\n", "SSL handshake complete");
              processServerRandom(ssl);
            }
            else {
              int err2 = wolfSSL_get_error(ssl, 0);
              logsslerror(err2, "SSL handshake error");
            }


why does this not work? the last void* param seems to not be used in any function, so I'm confusued about what;s going wrong.

17

(14 replies, posted in wolfSSL)

what is the correct way to use these functions?

I have:
int ocspCb(void *a, const char* url, int urlSz, unsigned char *req, int reqSz, unsigned char **resp)
{
  int retVal = EmbedOcspLookup(a, url, urlSz, req, reqSz, resp);
  printf("resp: %s\n", *resp);

  return retVal;
}

and in registration I have:

if((use_ocsp = wolfSSL_CTX_SetOCSP_Cb(ctx, ocspCb, ocspRespFree, NULL)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "OCSP CB Error");


Not sure what to pass as the last argument

18

(14 replies, posted in wolfSSL)

Now I have this code:

if (host != NULL) {
        sockfd = socket(host->ai_family, host->ai_socktype, host->ai_protocol);
        int ret = connect(sockfd, host->ai_addr, host->ai_addrlen);
        if (ret < 0)
          printf("error in connect: %s\n", strerror(errno));
        else {
          printf("Connected to %s:%s!\n", hostname, port);

          if ((ssl = wolfSSL_new(ctx)) == NULL)
            printf("%s\n", "wolfSSL_new error");
          else {
            wolfSSL_set_fd(ssl, sockfd);

            //set ourselves up so that we can access the ServerHello and OCSP stapling
            wolfSSL_KeepArrays(ssl);
            int use_ocsp;
            if((use_ocsp = wolfSSL_CTX_UseOCSPStapling(ctx, WOLFSSL_CSR_OCSP, 0)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "OCSP Error");

            if((use_ocsp = wolfSSL_CTX_EnableOCSP(ctx, 0)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "CTX_EnableOCSP error");

            if((use_ocsp = wolfSSL_CTX_EnableOCSPStapling(ctx)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "CTX_EnableOCSPStapling error");

            if((use_ocsp = wolfSSL_CTX_SetOCSP_Cb(ctx, ocspCb, NULL, NULL)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "OCSP CB Error");

            if (wolfSSL_connect_ex(ssl, handShakeCB, timeoutCB, timeout) == SSL_SUCCESS)
            {
              printf("%s\n", "SSL handshake complete");
              processServerRandom(ssl);
            }
            else {
              int err2 = wolfSSL_get_error(ssl, 0);
              logsslerror(err2, "SSL handshake error");
            }
          }
        }

But the callback doesn;t get called. My only goal is to get the OCSP response data from the Server Hello.

19

(14 replies, posted in wolfSSL)

OK. so I used wireshark to find out that the bing.com server does not understand status_request_v2. It only understands status_request (i.e., regular ocsp stapling), so I recompiled with --enable-ocsp stapling, and I updated my code to:

            if((use_ocsp = wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR2_OCSP, 0)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "OCSP Error");

            if((use_ocsp = wolfSSL_CTX_EnableOCSPStapling(ctx)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "CTX_EnableOCSP error");

            if((use_ocsp = wolfSSL_SetOCSP_Cb(ssl, ocspCb, NULL, NULL)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "OCSP CB Error");

Now based on wireshark, I can see the OCSP response in the Server Hello, but my callback is still not getting called.

20

(14 replies, posted in wolfSSL)

So some progress. I did:

            if((use_ocsp = wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP, 0)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "OCSP Error");

            if((use_ocsp = wolfSSL_CTX_EnableOCSP(ctx, 0)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "CTX_EnableOCSP error");

            if((use_ocsp = wolfSSL_SetOCSP_Cb(ssl, ocspCb, NULL, NULL)) != SSL_SUCCESS)
              logsslerror(use_ocsp, "OCSP CB Error");

with an ocsp callback of the form:

int ocspCb(void *a, const char* url, int urlSz, unsigned char *req, int reqSz, unsigned char **resp)
{
  printf("ocsp cb\n");
}


Now when I try it with bing.com and root cert of BaltimoreCyberTrustRoot.pem

I get as output error:

Connected to bing.com:443!
ocsp cb
hsi: ClientHello
hsi: ServerHello
hsi: Certificate
hsi: Alert
SSL handshake error: OCSP Responder lookup fail


Any idea what this means? I have enabled callbacks on the SSL handshake, and callbacks on the OCSP CB IO, which does not seem to be documented, but I got it from the wolfssl/ssh.h header

How is it possible that the callback is called so early in the handshake process?

My goal is to extract the thisDate, nextDate (which I think correspond to the thisUpdate, nextUpdate fields as per OCSP stapling RFC)

21

(1 replies, posted in wolfSSL)

Hi

I'm trying to do a debug version build with

./configure --enable-tlsx --enable-supportedcurves --disable-fastmath C_EXTRA_FLAGS="-DOPENSSL_EXTRA -DWOLFSSL_CALLBACKS" --enable-ocspstapling2  --enable debug and I get the error:

/usr/bin/ld: final link failed: Memory exhausted
collect2: error: ld returned 1 exit status
make[1]: *** [src/libwolfssl.la] Error 1
make[1]: Leaving directory `/home/earlence/ntp/wolfssl-3.9.0'


I'm building on Ubuntu 13.04 and this error comes only when I have the --enable-debug option. If I remove that option, it builds fine. Any idea how to sort this? I saw another post on this forum with the same error, but the solution there was to disable debugging. I do need debugging, so that is not an option

22

(14 replies, posted in wolfSSL)

I'd like to access the ocsp response and extract the thisUpdate, nextUpdate, etc fields for data collection.

23

(14 replies, posted in wolfSSL)

Thanks, I can setup the API now, but how do I access the OCSP response?

24

(5 replies, posted in wolfSSL)

Some more info.

I compiled with with ./configure --enable-tlsx --enable-supportedcurves --disable-fastmath --enable-sslv3 --enable-curve25519 --enable-debug

and then $ ./examples/client/client -h google.com -p 443 -A ../ssltime/certs/Equifax_Secure_CA.pem seems to work. However, when I try

./examples/client/client -h umich.edu -p 443 -A ../ssltime/certs/AddTrust_External_Root.pem

I get:

connect state: CLIENT_HELLO_SENT
SSL version error
wolfSSL error occurred, error = -326
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -326
wolfSSL Entering ERR_error_string
err = -326, record layer version error
wolfSSL error: SSL_connect failed


with -v 1:

connect state: CLIENT_HELLO_SENT
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 40
wolfSSL error occurred, error = -313
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -313
wolfSSL Entering ERR_error_string
err = -313, revcd alert fatal error
wolfSSL error: SSL_connect failed


with -v 2:

connect state: CLIENT_HELLO_SENT
SSL version error
wolfSSL error occurred, error = -326
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -326
wolfSSL Entering ERR_error_string
err = -326, record layer version error
wolfSSL error: SSL_connect failed


with -v 3:

connect state: CLIENT_HELLO_SENT
SSL version error
wolfSSL error occurred, error = -326
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -326
wolfSSL Entering ERR_error_string
err = -326, record layer version error
wolfSSL error: SSL_connect failed


I also wrote my own sample program to do an SSL handshake:

struct addrinfo* resolveHost(char *hostname, char *port) {
  struct addrinfo hints, *res, *p;
  int status;
  char ipstr[INET6_ADDRSTRLEN];

  memset(&hints, 0, sizeof hints);
  hints.ai_family = AF_UNSPEC; //IP v4 or v6 we dont care
  hints.ai_socktype = SOCK_STREAM;

  status = getaddrinfo(hostname, port, &hints, &res);
  if (status != 0)
    return NULL;

  /*for(p = res; p != NULL; p = p->ai_next)
  {
    void *addr;

    if (p->ai_family == AF_INET) //IPv4
    {
      struct sockaddr_in *ipv4 = (struct sockaddr_in *) p->ai_addr;
      addr = &(ipv4->sin_addr);
    }
    else
    {
      struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *) p->ai_addr;
      addr = &(ipv6->sin6_addr);
    }

    //convert IP to string
    inet_ntop(p->ai_family, addr, ipstr, sizeof ipstr);
    printf("%s\n", ipstr);
  }

  freeaddrinfo(res);*/

  return res; //to be freed upon program exit
}

void driver(char *hostname, char *port, char *capath) {
  int sockfd;
  WOLFSSL_CTX* ctx;
  WOLFSSL* ssl;

  wolfSSL_Init();

  struct addrinfo *host = resolveHost(hostname, port);

  if ((ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())) == NULL)
    printf("%s\n", "wolfSSL_CTX_new error");
  else {
    //load up CA certs
    int err;
    if ((err = wolfSSL_CTX_load_verify_locations(ctx, capath, NULL)) != SSL_SUCCESS) {
      char buffer[WOLFSSL_MAX_ERROR_SZ];
      printf("%s: %s\n", "error loading up CA cert", wolfSSL_ERR_error_string(err, buffer));
    }
    else {
      //we are ready to SSL handshake
      if (host != NULL) {
        sockfd = socket(host->ai_family, host->ai_socktype, host->ai_protocol);
        int ret = connect(sockfd, host->ai_addr, host->ai_addrlen);
        if (ret < 0)
          printf("error in connect: %s\n", strerror(errno));
        else {
          printf("Connected to %s:%s!\n", hostname, port);

          if ((ssl = wolfSSL_new(ctx)) == NULL)
            printf("%s\n", "wolfSSL_new error");
          else {
            wolfSSL_set_fd(ssl, sockfd);
            if (wolfSSL_connect(ssl) == SSL_SUCCESS)
              printf("%s\n", "SSL handshake complete");
            else {
              int err = wolfSSL_get_error(ssl, 0);
              char buffer[WOLFSSL_MAX_ERROR_SZ];
              printf("%s: %s\n", "SSL handshake error", wolfSSL_ERR_error_string(err, buffer));
            }
          }
        }
      }
      else
           printf("error looking up IP for %s\n", hostname);
    }
  }

  wolfSSL_CTX_free(ctx);
  wolfSSL_Cleanup();

  close(sockfd);
  freeaddrinfo(host);
}

int main(int argc, char *argv[]) {
  char *hostname = (char *) argv[1];
  char *port = (char *) argv[2];
  char *cert = (char *) argv[3];
  printf("cert: %s\n", cert);
  driver(hostname, port, cert);
  return 0;
}

and when I run this like

./a.out google.com 443 Equifax_Secure_CA.pem

I get the usual recvd alert fatal error.

Not sure what's going on here. Did I compile incorrectly? Did I install incorrectly?

25

(5 replies, posted in wolfSSL)

Some more information:
I took all the pem files from my /etc/ssl/certs dir and made a new dir. I then used one of those based on the host I was trying to ssl handshake with.

for instance:

./examples/client/client -h umich.edu -p 443 -A mycerts/AddTrust_External_Root.pem -v 1 -d
err = -313, revcd alert fatal error
wolfSSL error: SSL_connect failed

I compiled wolfSSL like the following

./configure --enable-tlsx --enable-supportedcurves --disable-fastmath
make
sudo make install

But I still get that error. Any ideas?