1

(1 replies, posted in wolfSSL)

Hi,

When I am using 'openssl s_client' tool, I can print peer certificates which sent from the server on console with a parameter called '-showcerts'. When I use this I can see the certificates in pem format on console.

Is there any way to print peer certificates in pem or der format on console. It does not have to be a parameter like '-showcerts', If you know which variable or which function use gets those certificates, I can put a print statement there.

I am asking this because, when I run with the openssl command like 'openssl s_client -showcerts -connect <hostname and port>', I can see the peer certificates(cert chain with two certificates), but I believe that there might be a problem about getting the right certificates from server for wolfssl.

Hi Anthony,
Of course I can give some details about the project. I am trying to connect a secure websocket server with and esp32 board using IDF framework, websocket component and wolfssl. I got same error when I tried with esp32(-188). So,  just want to try simple client example which wolfssl have but I got the same error.

I am using a trust anchor certificate which signed with an CA root certificate when I am trying to connect that server. I believe that there is an issue here which cause the error.

Wolfssl should stop checking certificate chain and finish validating the connection when it meets with the trust anchor certificate, but it tries to find its issuer which is the CA root certificate I dont have. This issue is related another post of mine(https://www.wolfssl.com/forums/topic2035-equivalent-config-for-x509vflagpartialchain.html). On that post you can see that there is flag settings which solves this issue for python. I already tested with the python part and its worked.

I am not definitely sure but if I can set wolfssl to stop and finish verification successfully when it reaches trust anchor certificate may solve the problem.

In python, there is a configuration settings when creating a ssl context:
```
ssl_context.verify_flags |= 0x80000  # Refers to setting X509_V_FLAG_PARTIAL_CHAIN flag.
```
Is there any configuration settings in wolfssl similar with this X509_V_FLAG_PARTIAL_CHAIN flag.

Note: The X509_V_FLAG_PARTIAL_CHAIN flag causes intermediate certificates in the trust store to be treated as trust-anchors, in the same way as the self-signed root CA certificates. This makes it possible to trust certificates issued by an intermediate CA without having to trust its ancestor root CA.

I am trying to connect a secure websocket sever with wolfssl client example, I run client example like:

./build/examples/client/client -h xx.x.xxx.com -p 443 -c certs/client_cert.pem -k certs/client_key.pem -A certs/server_cert.pem

After I run this I got error says 'wolfSSL_connect error -188, ASN no signer error to confirm failure', which I assume that there is problem about server certificate which I gave as paramater with -A.

But I am sure that these certificate setup works with a python code like:
```
load_verify_locations(server_cert_path)
load_cert_chain(client_cert_path, client_key_path)
```
What am I missing?

P.S. I unfortunately cannot share the host address and the certificates.