Hi Chris,

I thought the issue may be due to unicode characters in the file, but that doesn't explain the returned error code. Looking forward to hearing any insights you may have.

cheers

p

Hi

attached is the PEM file in question. Have I missed something fundamental about the format?

cheers

p

I have a PEM file formatted as follows, holding many certificates:

-----BEGIN CERTIFICATE-----
MIIDIzCCAoygAwIBAgIEMAAAAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJV
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
bGljIFByaW1hcnkgQ2V
bcV0oveifHtgPHfNDs5IAn8BL7abN+AqKjbc1YXWrOU/VG+WHgWv
-----END CERTIFICATE-----
etc

The function returns error -148 referenced as: ASN_UNKNOWN_OID_E    ASN oid error, unknown sum id. The same file is used by my antivirus and appears to work in that context. Does the function expect each cert to have an X509 identifier?

4

(1 replies, posted in wolfSSL)

Is it possible to use a CTL contained on a single .pem file to verify server certificates, as a browser might? The instructions indicate that only a single cert can be loaded for verification at a time. This would seem dreadfully inefficient.

Hi Chris,

https://p5-iaztwlcygct3i-f3lphbry6go6wo … exp3/6.gif caused my SSL filter to crash because I generate individual certificates for the full hostname.

My workaround is to tunnel >64 char hosts, which suits my purposes. Would this situation normally be solved by chaining?

Cheers,
P

6

(4 replies, posted in wolfSSL)

@sumathi you have not provided much detail as to what you have done.

"I let wolfSSL take over as server"  - have you imported your CA into the browsers' CTL? Are you successfully generating signed certificates on the fly as encrypted traffic passes through your proxy? If yes to the previous two questions, have you tested your proxy on  multiple browsers or just one?

Unless you are trying to filter SSL traffic through your proxy, you should tunnel the secure traffic - no need to use any SSL library.

I need the commonName buffer to be bigger (some subdomain names can get quite large). When I either adjust the array size constant directly or alter the CTC_NAME_SIZE value, the resulting certificate gets all misaligned and basically doesn't work.

To save me reading through all the source code to connect the dots, which data do I need to change to do this?

enum Ctc_Misc {
    CTC_NAME_SIZE    =   64,
    CTC_DATE_SIZE    =   32,
    CTC_MAX_ALT_SIZE = 8192,    /* may be huge */
    CTC_SERIAL_SIZE  =    8
};

8

(3 replies, posted in wolfSSL)

Hi Chris,

Glad you guys are aware of that. Fyi I downloaded wolfSSL 2.2.0 from the product download page of this website only 2 days ago and this bug was in that package.

Thanks
p

9

(3 replies, posted in wolfSSL)

I have successfully compiled and linked wolfSSL 2.2.0 to my project, but lines 421 and 422 of ssl.h do not compile.

The following two identifiers within an anonymous enum object...
OCSP_REQUEST  = 4,
OCSP_RESPONSE = 8,

...clash with these #define's in WinCrypt.h
#define OCSP_REQUEST                        ((LPCSTR) 66)
#define OCSP_RESPONSE                       ((LPCSTR) 67)

My question: Is this a bug in my code or does the wolfSSL API include WinCrypt.h somewhere and thus a bug in wolfSSL?

10

(4 replies, posted in wolfSSL)

Thanks Chris

Exactly the answer I needed.
For future searchers: chapter 10 of the wolfSSL embedded ssl manual, section 10.5 Public Key Cryptography, elaborates on this a bit.

11

(4 replies, posted in wolfSSL)

I want to sign a certificate using the SignCert() function, but the private key (&caKey) is in pem format. How can I convert the key from pem and store it in an RsaKey struct?

Thanks.

12

(1 replies, posted in wolfSSL)

Actually the wolfSSL read function works fine pulling one byte from the socket. The problem was an infinite loop because strstr() never evaluated to false.

13

(1 replies, posted in wolfSSL)

I am trying to use wolfSSL embedded SSL to implement a chunked encoding handler and my code seems to fail at this this point (after the socket has been set up and already used successfully):

    char tbuff[64];
    memset(tbuff,0,64);
    recvLen = 0;
    while (strstr(tbuff,"\r\n")==nullptr)
    {
        wolfSSL_read(cssl, buff, 1);
         tbuff[recvLen] = buff[0];
        recvLen+=1;
        cout << tbuff << endl;
    }

I realise the extreme inefficiency of this method to find a CRLF but is there any reason why CysSSL would fail here?
Thanks.

14

(8 replies, posted in wolfSSL)

Thanks for the insights into SSL and your help with the embedded SSL library. I'll take the advice on sniffing with Wireshark.

15

(8 replies, posted in wolfSSL)

So at the SSL handshake point it is not unreasonable to use wolfSSL for that abstraction. Is the failure likely to be a certificate issue? I would have expected the browser to prompt a warning of an untrusted certificate if wolfSSL succeeded in completing the handshake?

16

(8 replies, posted in wolfSSL)

Hi todd,

Thanks for the heads up on unencrypted traffic.

Yes, precisely the proxy sends back "HTTP/1.0 200 Connection established" after making the connection, I assume the client then sends "GET HTTPS://...." which I have wolfSSL handle in server mode at which point the browser produces said error.

The reason for this is to make a "bridging" proxy, to be able to monitor my SSL traffic in cleartext at a local HTTP proxy level.

I tried wolfSSL_read() after a socket had been accept()'ed the usual way, at the time my proxy was opening a new thread for each request from browser, so the invalid nullptr was probably because the object was on a different thread.

17

(8 replies, posted in wolfSSL)

So I wrote an HTTP proxy that sends a 200 OK back to browser after receiving a CONNECT request and connecting to the host, after this point I let wolfSSL take over as server but the browser spits up HTTP 107 SSL error - is it a certificate issue or have I got the protocol wrong?

As for unencrypted traffic, when I let it go through wolfSSL I get a hang and clicking abandon crashes VC2010, otherwise a break point is triggered with an invalid null pointer somewhere in the library code. Wouldn't mind a simple yes/no from someone who knows on this one.

18

(8 replies, posted in wolfSSL)

Questions:
1. Can wolfSSL handle unencrypted traffic?
2. Can wolfSSL handle HTTP/1.1 CONNECT requests for SSL tunnelling?
3. If 'yes' to either of the above, is there any documentation for reference?

p