Welcome to the wolfSSL Forums!

2024-07-09 04:11:54

I added callback for verification:

static int tls_verify_cb(int preverify, WOLFSSL_X509_STORE_CTX* store)
{
    char buffer[WOLFSSL_MAX_ERROR_SZ];

    Serial.printf("----------------TLS Verify Callback: PreVerify %d, Error %d (%s)\n\r", preverify,
        store->error, store->error != 0 ?
            wolfSSL_ERR_error_string(store->error, buffer) : "none");
    Serial.printf("----------------  Subject's domain name is %s\n\r", store->domain);

    if (store->error != 0) {
        /* Allowing to continue */
        /* Should check certificate and return 0 if not okay */
        Serial.println("--------------------  Allowing cert anyways");
    }

    return 1;
}

wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, tls_verify_cb);

Logs:

wolfSSL Leaving DecodeCertPolicy, return 0
No CA signer to verify with
Failed to verify CA from chain
wolfSSL Entering wolfSSL_ERR_error_string
----------------TLS Verify Callback: PreVerify 0, Error -188 (ASN no signer error to confirm failure)
----------------  Subject's domain name is Starfield Services Root Certificate Authority - G2
--------------------  Allowing cert anyways
Verify callback overriding error!
Adding CA from chain
Modifying SSL_CTX CM not SSL specific CM
Adding a CA

it seems to me that Amozon certificate is not supported to verify?
https://www.amazontrust.com/repository/ … p_cps.html
https://www.amazontrust.com/repository/

2024-07-08 23:09:33

Thanks for the quick reply, I added the define you are talking about, I think the message one disappeared but the rest remained:

No CA signer to verify with
Failed to verify CA from chain
wolfSSL error occurred, error = -188

Can you explain what this error is talking about?

Full logs:

06:03:36
1720505016
Waiting for time to be set...
Waiting for time to be set...
Waiting for time to be set...
WOLFSSL_USER_SETTINGS_ID: Arduino user_settings.h v5.7.0
wolfSSL server code disabled to save space.
wolfSSL Debugging is On!
WARNING: Unknown or no TLS session cache setting.
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
Successfully called wolfSSL_Init
Here we go!
wolfSSL Entering TLSv1_2_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
heap param is null
DYNAMIC_TYPE_CERT_MANAGER Allocating = 100 bytes
wolfSSL Leaving wolfSSL_CTX_new_ex, return 0
Initializing certificates...
show_memory() not implemented for this platform
wolfSSL Entering wolfSSL_CTX_set_verify
Initializing certificates...
wolfSSL Entering wolfSSL_CTX_use_certificate_buffer
wolfSSL Entering PemToDer
Checking cert signature type
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
Not ECDSA cert signature
wolfSSL Leaving wolfSSL_CTX_use_certificate_buffer, return 1
Success: use certificate: server_cert_der_2048
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_buffer
wolfSSL Entering PemToDer
wolfSSL Leaving wolfSSL_CTX_use_PrivateKey_buffer, return 1
Success: use private key buffer: server_key_der_2048
wolfSSL Entering wolfSSL_CTX_load_verify_buffer_ex
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Leaving wolfSSL_CTX_load_verify_buffer_ex, return 1
Success: load_verify CTX_CA_CERT
Completed Arduino setup!

Starting Arduino loop() ...
Connecting to a3bhgcfnknbinz-ats.iot.eu-west-2.amazonaws.com:8883
Here we go...
Ok, checking...
Connected!
wolfSSL Entering wolfSSL_Init
Success: calling wolfSSL_Init
show_memory() not implemented for this platform
Calling ssl = wolfSSL_new(ctx)
wolfSSL Entering wolfSSL_new
wolfSSL Entering ReinitSSL
RNG_HEALTH_TEST_CHECK_SIZE = 128
sizeof(seedB_data)         = 128
wolfSSL Entering SetSSL_CTX
wolfSSL Entering wolfSSL_NewSession
InitSSL done. return 0 (success)
wolfSSL_new InitSSL success
wolfSSL Leaving wolfSSL_new InitSSL =, return 0
wolfSSL Entering wolfSSL_get_error
wolfSSL Leaving wolfSSL_get_error, return 0
Success: ssl object.
Connecting to wolfSSL TLS Secure Server...wolfSSL_connect ...
TLS 1.2 or lower
wolfSSL Entering wolfSSL_connect
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
wolfSSL Entering SendClientHello
Adding signature algorithms extension
growing output buffer
Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
Shrinking output buffer
wolfSSL Leaving SendClientHello, return 0
connect state: CLIENT_HELLO_SENT
Server state up to needed state.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering DoServerHello
Point Formats extension received
wolfSSL Entering wolfSSL_get_options
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoServerHello, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering DoCertificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
        Put another cert into chain
        Put another cert into chain
        Put another cert into chain
        Put another cert into chain
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
wolfSSL Entering DecodeCertPolicy
wolfSSL Leaving DecodeCertPolicy, return 0
No CA signer to verify with
Failed to verify CA from chain
wolfSSL error occurred, error = -188
wolfSSL Entering SendAlert
wolfSSL Entering SendAlert
SendAlert: 48 unknown_ca
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendAlert, return 0
wolfSSL Leaving ProcessPeerCerts, return -188
wolfSSL Leaving DoCertificate, return -188
wolfSSL Leaving DoHandShakeMsgType(), return -188
wolfSSL Leaving DoHandShakeMsg(), return -188
wolfSSL error occurred, error = -188
wolfSSL error occurred, error = -188
wolfSSL_connect return result =-1
Failed connection, checking error.
wolfSSL Entering wolfSSL_get_error
wolfSSL Leaving wolfSSL_get_error, return -188
wolfSSL Entering wolfSSL_ERR_error_string
WOLFSSL Error: -188; ASN no signer error to confirm failure
err =-188

Connected!
SSL version is wolfSSL Entering wolfSSL_get_version
TLSv1.2
wolfSSL Entering wolfSSL_get_cipher
wolfSSL Entering wolfSSL_get_current_cipher
wolfSSL Entering wolfSSL_CIPHER_get_name
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Sending secure message to server: hello wolfssl!
wolfSSL Entering wolfSSL_write
handshake not complete, trying to finish
wolfSSL Entering wolfSSL_negotiate
TLS 1.2 or lower
wolfSSL Entering wolfSSL_connect
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
Server state up to needed state.
Progressing server state...
ProcessReply...
ProcessReply retry in error state, not allowed
wolfSSL error occurred, error = -188
wolfSSL Leaving wolfSSL_negotiate, return -1
wolfSSL Leaving wolfSSL_write, return -1
wolfSSL Entering wolfSSL_get_error
wolfSSL Leaving wolfSSL_get_error, return -188
wolfSSL Entering wolfSSL_ERR_error_string
WOLFSSL Error: -188; ASN no signer error to confirm failure
Shutting down..wolfSSL Entering wolfSSL_shutdown
wolfSSL Leaving wolfSSL_shutdown, return -1

wolfSSL Entering wolfSSL_free
Free SSL: 0x3fca88c4
Free'ing client ssl
Shrinking input buffer
Signature Algorithms extension to free
Point Formats extension free
Supported Groups extension free
wolfSSL Entering ClientSessionToSession
wolfSSL Entering wolfSSL_FreeSession
wolfSSL_FreeSession full free
CTX ref count not 0 yet, no free
wolfSSL Leaving wolfSSL_free, return 0
Connection complete.
Done!

2024-07-08 13:18:27

Hi
I have downloaded the example for arduino and trying to connect to AWS based on the certs generated from it. I have added my certs to exampla:

byte rootCA[] PROGMEM = R"(
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
)";

byte clientKey[] PROGMEM = R"(
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
)";

byte clientCa[] PROGMEM = R"(
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
)";

method = wolfTLSv1_2_client_method();

    ret = wolfSSL_CTX_use_certificate_buffer(ctx,
                                             clientCa,
                                             sizeof(clientCa),
                                             SSL_FILETYPE_PEM);

    ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx,
                                            clientKey,
                                            sizeof(clientKey),
                                            SSL_FILETYPE_PEM);

    ret = wolfSSL_CTX_load_verify_buffer(ctx,
                                         rootCA,
                                         sizeof(rootCA),
                                         SSL_FILETYPE_PEM);

I run the programme and get the logs and an error -188 with the description not yet supported:

19:49:54
1720468194
Waiting for time to be set...
WOLFSSL_USER_SETTINGS_ID: Arduino user_settings.h v5.7.0
wolfSSL server code disabled to save space.
wolfSSL Debugging is On!
WARNING: Unknown or no TLS session cache setting.
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
Successfully called wolfSSL_Init
Here we go!
wolfSSL Entering TLSv1_2_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
heap param is null
DYNAMIC_TYPE_CERT_MANAGER Allocating = 100 bytes
wolfSSL Leaving wolfSSL_CTX_new_ex, return 0
Initializing certificates...
show_memory() not implemented for this platform
wolfSSL Entering wolfSSL_CTX_set_verify
Initializing certificates...
wolfSSL Entering wolfSSL_CTX_use_certificate_buffer
wolfSSL Entering PemToDer
Checking cert signature type
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
Not ECDSA cert signature
wolfSSL Leaving wolfSSL_CTX_use_certificate_buffer, return 1
Success: use certificate: server_cert_der_2048
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_buffer
wolfSSL Entering PemToDer
wolfSSL Leaving wolfSSL_CTX_use_PrivateKey_buffer, return 1
Success: use private key buffer: server_key_der_2048
wolfSSL Entering wolfSSL_CTX_load_verify_buffer_ex
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Leaving wolfSSL_CTX_load_verify_buffer_ex, return 1
Success: load_verify CTX_CA_CERT
Completed Arduino setup!
try mqtt
------------------- connect--------------------
Connected!
wolfSSL Entering wolfSSL_Init
Success: calling wolfSSL_Init
show_memory() not implemented for this platform
Calling ssl = wolfSSL_new(ctx)
wolfSSL Entering wolfSSL_new
wolfSSL Entering ReinitSSL
RNG_HEALTH_TEST_CHECK_SIZE = 128
sizeof(seedB_data)         = 128
wolfSSL Entering SetSSL_CTX
wolfSSL Entering wolfSSL_NewSession
InitSSL done. return 0 (success)
wolfSSL_new InitSSL success
wolfSSL Leaving wolfSSL_new InitSSL =, return 0
wolfSSL Entering wolfSSL_get_error
wolfSSL Leaving wolfSSL_get_error, return 0
Success: ssl object.
wolfSSL_connect ...
TLS 1.2 or lower
wolfSSL Entering wolfSSL_connect
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
wolfSSL Entering SendClientHello
Adding signature algorithms extension
growing output buffer
Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
Shrinking output buffer
wolfSSL Leaving SendClientHello, return 0
connect state: CLIENT_HELLO_SENT
Server state up to needed state.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering DoServerHello
Point Formats extension received
wolfSSL Entering wolfSSL_get_options
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoServerHello, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering DoCertificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
        Put another cert into chain
        Put another cert into chain
        Put another cert into chain
        Put another cert into chain
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
No CA signer to verify with
Failed to verify CA from chain
wolfSSL error occurred, error = -188
wolfSSL Entering SendAlert
wolfSSL Entering SendAlert
SendAlert: 48 unknown_ca
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendAlert, return 0
wolfSSL Leaving ProcessPeerCerts, return -188
wolfSSL Leaving DoCertificate, return -188
wolfSSL Leaving DoHandShakeMsgType(), return -188
wolfSSL Leaving DoHandShakeMsg(), return -188
wolfSSL error occurred, error = -188
wolfSSL error occurred, error = -188
wolfSSL_connect return result =-1
Failed connection, checking error.
wolfSSL Entering wolfSSL_get_error
wolfSSL Leaving wolfSSL_get_error, return -188
wolfSSL Entering wolfSSL_ERR_error_string
WOLFSSL Error: -188; ASN no signer error to confirm failure
err =-188

Connected!
SSL version is wolfSSL Entering wolfSSL_get_version
TLSv1.2
wolfSSL Entering wolfSSL_get_cipher
wolfSSL Entering wolfSSL_get_current_cipher
wolfSSL Entering wolfSSL_CIPHER_get_name
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
---------ERROR--------
connect failed
disconnect

I came across information on the forum that error -188 is related to a wrongly uploaded certificate, but to be honest I don't know how it can be wrongly uploaded, 3 certificates and 3 functions. The certificates work and are correct because the authentication passes if I use WiFiSecureClient on the same certs (mbedtle based solution). I am also puzzled by the error above:

Certificate Policy extension not supported yet.
No CA signer to verify with
Failed to verify CA from chain
wolfSSL error occurred, error = -188

What am I doing wrong, the only modification from exampl is certy
many thanks for your help

Welcome to the wolfSSL Forums!

Search options

Posts found: 3

1 Reply by ppawel87 2024-07-09 04:11:54

Re: aws cert error -188 Certificate Policy extension not supported yet (3 replies, posted in wolfSSL)

2 Reply by ppawel87 2024-07-08 23:09:33

Re: aws cert error -188 Certificate Policy extension not supported yet (3 replies, posted in wolfSSL)

3 Topic by ppawel87 2024-07-08 13:18:27

Topic: aws cert error -188 Certificate Policy extension not supported yet (3 replies, posted in wolfSSL)

Posts found: 3