Hi Anthony,

The pull request I meant is to the FreeRTOS repo, which contains a socket wrapper interface from wolfSSL to FreeRTOS+TCP. I have created the PR and merged it. Please refer: https://github.com/FreeRTOS/FreeRTOS/pull/1217

Thanks,
Tony

Hi Anthony,

Thanks a lot for suggesting the config flag and verifying the demo on your side.

Adding `WOLFSSL_ALT_CERT_CHAINS` fixes the issue, the reason it was not working immediately was because there is a bug with handling error codes in the socket wrapper layer created for wolfssl to FreeRTOS+TCP stack. I will create pull request to fix the bug in the demo.

Thanks,
Tony

Hi Anthony,

Thanks for the reply.

I defined `WOLFSSL_ALT_CERT_CHAINS` in `user_settings.h` and tested again. The demo still fails during the TLS handshake, but this time got a different log:

DNS[0x8A08]: The answer to 'a2jtk2rms8uea8-ats.iot.us-east-1.amazonaws.com' (54.156.121.159) will be stored
FreeRTOS_connect: 64320 to 54.156.121.159:8883
[INFO] [SocketsWrapper] [TCP_Sockets_Connect:189] Established TCP connection with a2jtk2rms8uea8-ats.iot.us-east-1.amazonaws.com.
wolfSSL Entering wolfSSLv23_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
heap param is null
DYNAMIC_TYPE_CERT_MANAGER Allocating = 100 bytes
wolfSSL Leaving wolfSSL_CTX_new_ex, return 0
wolfSSL_CTX_load_verify_locations_ex
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering wolfSSL_CTX_use_certificate_file
Getting dynamic buffer
wolfSSL Entering PemToDer
Checking cert signature type
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
Not ECDSA cert signature
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering PemToDer
wolfSSL Entering wolfSSL_new
wolfSSL Entering ReinitSSL
RNG_HEALTH_TEST_CHECK_SIZE = 128
sizeof(seedB_data)         = 128
wolfSSL Entering SetSSL_CTX
wolfSSL Entering wolfSSL_NewSession
InitSSL done. return 0 (success)
wolfSSL_new InitSSL success
wolfSSL Leaving wolfSSL_new InitSSL =, return 0
TLS 1.2 or lower
wolfSSL Entering wolfSSL_connect
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
wolfSSL Entering SendTls13ClientHello
Adding signature algorithms extension
Adding supported versions extension
wolfSSL Entering EccMakeKey
wolfSSL Leaving EccMakeKey, return 0
growing output buffer
Key Share extension to write
Supported Versions extension to write
Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
Encrypt-Then-Mac extension to write
EMS extension to write
Shrinking output buffer
wolfSSL Leaving SendTls13ClientHello, return 0
connect state: CLIENT_HELLO_SENT
Server state up to needed state.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering wolfSSL_get_options
wolfSSL Entering DoTls13HandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoTls13HandShakeMsgType
processing server hello
wolfSSL Entering DoTls13ServerHello
Point Formats extension received
Extended Master Secret extension received
wolfSSL Entering wolfSSL_get_options
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoTls13ServerHello, return 0
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg, return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering DoCertificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
        Put another cert into chain
        Put another cert into chain
        Put another cert into chain
        Put another cert into chain
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
No CA signer to verify with
Failed to verify CA from chain
Trying alternate cert chain
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
No CA signer to verify with
Failed to verify CA from chain
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
CA found
wolfSSL Entering ConfirmSignature
mp_to_unsigned_bin_len_ct...
wolfSSL Leaving ConfirmSignature, return 0
Adding CA from chain
Modifying SSL_CTX CM not SSL specific CM
Adding a CA
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
CA found
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
Verifying Peer's cert
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAltNames
Certificate Policy extension not supported yet.
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering DecodeCrlDist
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeBasicCaConstraint
CA found
wolfSSL Entering ConfirmSignature
mp_to_unsigned_bin_len_ct...
wolfSSL Leaving ConfirmSignature, return 0
Verified Peer's cert
wolfSSL Leaving ProcessPeerCerts, return 0
wolfSSL Leaving DoCertificate, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing server key exchange
wolfSSL Entering DoServerKeyExchange
wolfSSL Entering RsaVerify
mp_to_unsigned_bin_len_ct...
wolfSSL Leaving RsaVerify, return 51
wolfSSL Leaving DoServerKeyExchange, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing certificate request
wolfSSL Entering DoCertificateRequest
wolfSSL Leaving DoCertificateRequest, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing server hello done
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
ProcessReply done.
connect state: HELLO_AGAIN
connect state: HELLO_AGAIN_REPLY
connect state: FIRST_REPLY_DONE
wolfSSL Entering SendCertificate
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendCertificate, return 0
sent: certificate
connect state: FIRST_REPLY_FIRST
wolfSSL Entering SendClientKeyExchange
wolfSSL Entering EccMakeKey
wolfSSL Leaving EccMakeKey, return 0
wolfSSL Entering EccSharedSecret
wolfSSL Leaving EccSharedSecret, return 0
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendClientKeyExchange, return 0
sent: client key exchange
connect state: FIRST_REPLY_SECOND
wolfSSL Entering SendCertificateVerify
Trying RSA private key
Using RSA private key
wolfSSL Entering RsaSign
mp_to_unsigned_bin_len_ct...
wolfSSL Leaving RsaSign, return 0
wolfSSL Entering VerifyRsaSign
mp_to_unsigned_bin_len_ct...
wolfSSL Leaving VerifyRsaSign, return 0
wolfSSL Entering SendHandshakeMsg
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendCertificateVerify, return 0
sent: certificate verify
connect state: FIRST_REPLY_THIRD
growing output buffer
wolfSSL error occurred, error = -308
wolfSSL Entering wolfSSL_shutdown
wolfSSL Leaving wolfSSL_shutdown, return -1
wolfSSL Entering wolfSSL_free
Free SSL: 00826A14
Free'ing client ssl
Shrinking output buffer
Key Share extension free
Supported Versions extension free
Signature Algorithms extension to free
Point Formats extension free
Supported Groups extension free
Encrypt-Then-Mac extension free
wolfSSL Entering ClientSessionToSession
wolfSSL Entering wolfSSL_FreeSession
wolfSSL_FreeSession full free
CTX ref count not 0 yet, no free
wolfSSL Leaving wolfSSL_free, return 0
wolfSSL Entering wolfSSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving wolfSSL_CTX_free, return 0
8 7665 [MQTTDemo] [ERROR] [TlsTransport] [tlsSetup:338] Failed to establish a TLS connection
vAssertCalled( C:\Users\tonyjosi\Documents\Projects\FreeRTOS\FreeRTOS-Plus\Demo\coreMQTT_Windows_Simulator\MQTT_Mutual_Auth_wolfSSL\DemoTasks\MutualAuthMQTTExample.c, 526 )

The newly suspected log lines are:

sent: certificate verify
connect state: FIRST_REPLY_THIRD
growing output buffer
wolfSSL error occurred, error = -308
wolfSSL Entering wolfSSL_shutdown
wolfSSL Leaving wolfSSL_shutdown, return -1
wolfSSL Entering wolfSSL_free

Thanks & regards,
Tony

I'm trying out the following wolfssl based demo:
https://github.com/FreeRTOS/FreeRTOS/tr … th_wolfSSL

But the TLS handshake is not succeeding when Im connecting to the AWS IoT core. I have verified that the ciphers used by wolfssl and AWS IoT are compatible. Please find below the logs:

[INFO] [SocketsWrapper] [TCP_Sockets_Connect:189] Established TCP connection with a2jtk2rms8uea8-ats.iot.us-east-1.amazonaws.com.
wolfSSL Entering wolfSSLv23_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
heap param is null
DYNAMIC_TYPE_CERT_MANAGER Allocating = 100 bytes
wolfSSL Leaving wolfSSL_CTX_new_ex, return 0
wolfSSL_CTX_load_verify_locations_ex
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering wolfSSL_CTX_use_certificate_file
Getting dynamic buffer
wolfSSL Entering PemToDer
Checking cert signature type
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
Not ECDSA cert signature
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering PemToDer
wolfSSL Entering wolfSSL_new
wolfSSL Entering ReinitSSL
RNG_HEALTH_TEST_CHECK_SIZE = 128
sizeof(seedB_data)         = 128
wolfSSL Entering SetSSL_CTX
wolfSSL Entering wolfSSL_NewSession
InitSSL done. return 0 (success)
wolfSSL_new InitSSL success
wolfSSL Leaving wolfSSL_new InitSSL =, return 0
TLS 1.2 or lower
wolfSSL Entering wolfSSL_connect
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
wolfSSL Entering SendTls13ClientHello
Adding signature algorithms extension
Adding supported versions extension
wolfSSL Entering EccMakeKey
wolfSSL Leaving EccMakeKey, return 0
growing output buffer
Key Share extension to write
Supported Versions extension to write
Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
Encrypt-Then-Mac extension to write
EMS extension to write
Shrinking output buffer
wolfSSL Leaving SendTls13ClientHello, return 0
connect state: CLIENT_HELLO_SENT
Server state up to needed state.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering wolfSSL_get_options
wolfSSL Entering DoTls13HandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoTls13HandShakeMsgType
processing server hello
wolfSSL Entering DoTls13ServerHello
Point Formats extension received
Extended Master Secret extension received
wolfSSL Entering wolfSSL_get_options
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoTls13ServerHello, return 0
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg, return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering DoCertificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
        Put another cert into chain
        Put another cert into chain
        Put another cert into chain
        Put another cert into chain
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
No CA signer to verify with
Failed to verify CA from chain
wolfSSL error occurred, error = -188
wolfSSL Entering SendAlert
wolfSSL Entering SendAlert
SendAlert: 48 unknown_ca
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendAlert, return 0
wolfSSL Leaving ProcessPeerCerts, return -188
wolfSSL Leaving DoCertificate, return -188
wolfSSL Leaving DoHandShakeMsgType(), return -188
wolfSSL Leaving DoHandShakeMsg(), return -188
wolfSSL error occurred, error = -188
wolfSSL error occurred, error = -188
wolfSSL Entering wolfSSL_shutdown
wolfSSL Leaving wolfSSL_shutdown, return -1
wolfSSL Entering wolfSSL_free
Free SSL: 00596A14
Free'ing client ssl
Shrinking input buffer
Key Share extension free
Supported Versions extension free
Signature Algorithms extension to free
Point Formats extension free
Supported Groups extension free
Encrypt-Then-Mac extension free
wolfSSL Entering ClientSessionToSession
wolfSSL Entering wolfSSL_FreeSession
wolfSSL_FreeSession full free
CTX ref count not 0 yet, no free
wolfSSL Leaving wolfSSL_free, return 0
wolfSSL Entering wolfSSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving wolfSSL_CTX_free, return 0
8 7722 [MQTTDemo] [ERROR] [TlsTransport] [tlsSetup:338] Failed to establish a TLS connection
vAssertCalled( C:\Users\tonyjosi\Documents\Projects\FreeRTOS\FreeRTOS-Plus\Demo\coreMQTT_Windows_Simulator\MQTT_Mutual_Auth_wolfSSL\DemoTasks\MutualAuthMQTTExample.c, 526 )

This is the wolfssl config/settings used: https://github.com/FreeRTOS/FreeRTOS/bl … settings.h

The same ROOT CA, certificate and private key works when I use the mbedTLS to connect to the AWS IoT, so the credentials seems to be fine.

I'm suspecting the following log lines:

Certificate Policy extension not supported yet.
No CA signer to verify with
Failed to verify CA from chain
wolfSSL error occurred, error = -188
wolfSSL Entering SendAlert
wolfSSL Entering SendAlert
SendAlert: 48 unknown_ca

But I'm not sure about the reason for the error.

This is the Root CA used: RSA 2048 bit key listed here: https://docs.aws.amazon.com/iot/latest/ … tion-certs