1

(3 replies, posted in wolfSSL)

anthony wrote:

Hi Isabella,

My name is Anthony and I am a member of the wolfSSL team.  I will be helping you with this issue.  This happens quite often when connecting to large web infrastructures.  Please use --enable-altcertchains on your configure command line. If you don't use the confugre script, please define WOLFSSL_ALT_CERT_CHAINS in your user_settings.h .

Here at wolfSSL we love learning about how people are using our libraries.  Can you please tell me a bit about yourself, your use case and any other information that would give us some context so that we can better help you?

Warm regards, Anthony

Using this #define, can cause issues to the connection to infrastructures that doesn't need this #define?What does this #define different?Thank you.

2

(3 replies, posted in wolfSSL)

I'm trying to connect to aws. I have loaded 4 certificates. The first 2 as root certificates, the others client and key certificates.
But I received the message "No CA signer to verify with".
These certificates are correct because on another platform with these certificates, I'm trying to connect.
Do you have any suggestions, please?
Thank you.

3

(1 replies, posted in wolfSSL)

Hallo, I'm on client side. I need to set MTU, to do this I have to #define WOLFSSL_DTLS.
My question is:
What does imply definign this?What's the difference between defining it or not?
Is it also possible to use it in tls1.3?
Thank you
Isabella.

4

(3 replies, posted in wolfSSL)

Hallo, I changed my cipherlist and the connection works. A question, where can I found enough complete documentation on how to use STATIC_MEMORY define?

5

(3 replies, posted in wolfSSL)

Hallo, I'm new with wolfssl.
I followed the client example.
This is my sequence of instructions (taken from client example)

****************
wolfSSL_Init();
    if (wc_LoadStaticMemory(&heap, memory, sizeof(memory), WOLFMEM_GENERAL, 1)
            != 0) {
        err_sys("unable to load static memory");
    }
    method = wolfTLSv1_2_client_method_ex;
    ctx = wolfSSL_CTX_new_ex(method(heap), heap);
        if (wolfSSL_CTX_load_static_memory(&ctx, NULL, memoryIO, sizeof(memoryIO),
           WOLFMEM_IO_POOL_FIXED | WOLFMEM_TRACK_STATS, 1) != WOLFSSL_SUCCESS) {
        err_sys("unable to load static memory");
    }
        if (wolfSSL_CTX_SetMinDhKey_Sz(ctx, (word16)minDhKeyBits)
            != WOLFSSL_SUCCESS) {
        err_sys("Error setting minimum DH key size");
    }
            const char* staticCipherList = "AES128-SHA:ECDH-ECDSA-AES128-SHA";
        if (wolfSSL_CTX_set_cipher_list(ctx, staticCipherList) != WOLFSSL_SUCCESS) {
            wolfSSL_CTX_free(ctx); ctx = NULL;
            err_sys("client can't set cipher list 3");
        }
                if (wolfSSL_CTX_use_certificate_chain_file_format(ctx, ourCert, fileFormat)
                                                           != WOLFSSL_SUCCESS) {
            wolfSSL_CTX_free(ctx); ctx = NULL;
            err_sys("can't load client cert file, check file and run from"
                    " wolfSSL home dir");
        }
                if (wolfSSL_CTX_use_PrivateKey_file(ctx, ourKey, fileFormat)
                                         != WOLFSSL_SUCCESS) {
            wolfSSL_CTX_free(ctx); ctx = NULL;
            err_sys("can't load client private key file, check file and run "
                    "from wolfSSL home dir");
        }
        if (wolfSSL_CTX_load_verify_locations_ex(ctx, verifyCert, 0, verify_flags)
                                                           != WOLFSSL_SUCCESS) {
            wolfSSL_CTX_free(ctx); ctx = NULL;
            err_sys("can't load ca file, Please run from wolfSSL home dir");
        }
            if (wolfSSL_CTX_get_read_ahead(ctx) != 0) {
        wolfSSL_CTX_free(ctx); ctx = NULL;
        err_sys("bad read ahead default value");
    }
    if (wolfSSL_CTX_set_read_ahead(ctx, 1) != WOLFSSL_SUCCESS) {
        wolfSSL_CTX_free(ctx); ctx = NULL;
        err_sys("error setting read ahead value");
    }
       
         ssl = wolfSSL_new(ctx);
if (ssl == NULL) {
     wolfSSL_CTX_free(ctx); ctx = NULL;
     err_sys("unable to get SSL object");
}
    if (wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, sniHostName,
        (word16)XSTRLEN(sniHostName)) != WOLFSSL_SUCCESS) {
        wolfSSL_CTX_free(ctx);
        ctx = NULL;
    }
wolfSSL_KeepArrays(ssl);
wolfSSL_NoKeyShares(ssl);
if (wolfSSL_UseSecureRenegotiation(ssl) != WOLFSSL_SUCCESS) {
    wolfSSL_free(ssl); ssl = NULL;
    CloseSocket(sockfd);
    wolfSSL_CTX_free(ctx); ctx = NULL;
    err_sys("can't enable secure renegotiation");
}
        tcp_set_nonblocking(&sockfd);
        ret = NonBlockingSSL_Connect(ssl);
*******************************************************
but ret=-1 with errors=-188

This is the trace:
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
RNG_HEALTH_TEST_CHECK_SIZE = 128
sizeof(seedB_data)         = 128
static memory management size = 16
wolfSSL Entering wolfSSL_StaticBufferSz_ex
wolfSSL Leaving wolfSSL_StaticBufferSz_ex, return 319964
calculated optimum general buffer size = 319964
wolfSSL Entering wolfSSL_StaticBufferSz_ex
wolfSSL Leaving wolfSSL_StaticBufferSz_ex, return 34024
calculated optimum IO buffer size      = 34024
wolfSSL Entering wc_LoadStaticMemory
wolfSSL Entering wc_LoadStaticMemory_ex
wolfSSL Entering wc_partition_static_memory
wolfSSL Leaving wc_LoadStaticMemory, return 0
wolfSSL Entering TLSv1_2_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
heap param = 008B1130
DYNAMIC_TYPE_CERT_MANAGER Allocating = 124 bytes
wolfSSL Leaving wolfSSL_CTX_new_ex, return 0
wolfSSL Entering wc_LoadStaticMemory
wolfSSL Entering wc_LoadStaticMemory_ex
wolfSSL Entering wc_partition_static_memory
wolfSSL Leaving wc_LoadStaticMemory, return 0
wolfSSL Entering wolfSSL_CTX_set_default_passwd_cb
wolfSSL Entering wolfSSL_CTX_set_cipher_list
Warning suites->suiteSz = 0 set to WOLFSSL_MAX_SUITE_SZ
wolfSSL Entering wolfSSL_CTX_use_certificate_chain_file_format
wolfSSL Entering ProcessBuffer
wolfSSL Entering PemToDer
wolfSSL Entering ProcessUserChain
Already consumed data
wolfSSL Leaving ProcessUserChain, return 0
Checking cert signature type
Getting Cert Name
wolfSSL Entering wolfSSL_X509_NAME_new_ex
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
Unknown encoding type, default UTF8
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
Getting Cert Name
wolfSSL Entering wolfSSL_X509_NAME_new_ex
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
Unknown encoding type, default UTF8
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering GetAlgoId
Cert signature not supported
wolfSSL Entering wolfSSL_X509_NAME_free
wolfSSL Entering wolfSSL_X509_NAME_free
wolfSSL Leaving ProcessBuffer, return 1
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
wolfSSL Entering ProcessBuffer
wolfSSL Entering PemToDer
wolfSSL Leaving ProcessBuffer, return 1
wolfSSL Entering wolfSSL_CTX_set_verify
Before creating SSL
wolfSSL Entering wolfSSL_CTX_is_static_memory
Total mallocs   = 13
Total frees     = 4
Current mallocs = 9
Available IO    = 2
Max con. handshakes  = 1
Max con. IO          = 1
State of memory blocks: size   : available
                      : 64       : 146
                      : 128      : 30
                      : 256      : 18
                      : 512      : 39
                      : 1024     : 16
                      : 2432     : 19
                      : 3456     : 36
                      : 4544     : 4
                      : 16128    : 4
wolfSSL Entering wolfSSL_new
Setting fixed IO for SSL
Setting fixed IO for SSL
wolfSSL Entering ReinitSSL
RNG_HEALTH_TEST_CHECK_SIZE = 128
sizeof(seedB_data)         = 128
wolfSSL Entering SetSSL_CTX
wolfSSL Entering wolfSSL_NewSession
InitSSL done. return 0 (success)
wolfSSL_new InitSSL success
wolfSSL Leaving wolfSSL_new InitSSL =, return 0
After creating SSL
wolfSSL Entering wolfSSL_CTX_is_static_memory
Total mallocs   = 26
Total frees     = 4
Current mallocs = 22
Available IO    = 0
Max con. handshakes  = 1
Max con. IO          = 1
State of memory blocks: size   : available
                      : 64       : 140
                      : 128      : 29
                      : 256      : 16
                      : 512      : 37
                      : 1024     : 16
                      : 2432     : 18
                      : 3456     : 36
                      : 4544     : 4
                      : 16128    : 3
wolfSSL Entering wolfSSL_set_fd
wolfSSL Entering wolfSSL_set_read_fd
wolfSSL Leaving wolfSSL_set_read_fd, return 1
wolfSSL Entering wolfSSL_set_write_fd
wolfSSL Leaving wolfSSL_set_write_fd, return 1
TLS 1.2 or lower
wolfSSL Entering wolfSSL_connect
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
wolfSSL Entering SendClientHello
Adding signature algorithms extension
growing output buffer
Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
SNI extension to write
EMS extension to write
Shrinking output buffer
wolfSSL Leaving SendClientHello, return 0
connect state: CLIENT_HELLO_SENT
Server state up to needed state.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
Embed Receive error
        Would block
wolfSSL error occurred, error = -323
wolfSSL Entering wolfSSL_get_error
wolfSSL Leaving wolfSSL_get_error, return -323
wolfSSL Entering wolfSSL_get_fd
wolfSSL Leaving wolfSSL_get_fd, return 640
... client would read block
TLS 1.2 or lower
wolfSSL Entering wolfSSL_connect
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
Server state up to needed state.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering DoServerHello
Extended Master Secret extension received
wolfSSL Entering wolfSSL_get_options
wolfSSL Entering wolfSSL_get_options
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoServerHello, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering DoCertificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
        Put another cert into chain
Getting Cert Name
wolfSSL Entering wolfSSL_X509_NAME_new_ex
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
Getting Cert Name
wolfSSL Entering wolfSSL_X509_NAME_new_ex
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeAltNames
Certificate Policy extension not supported.
wolfSSL Entering wolfSSL_X509_NAME_free
wolfSSL Entering wolfSSL_X509_NAME_free
Verifying Peer's cert
Getting Cert Name
wolfSSL Entering wolfSSL_X509_NAME_new_ex
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
Getting Cert Name
wolfSSL Entering wolfSSL_X509_NAME_new_ex
wolfSSL Entering wolfSSL_X509_NAME_add_entry_by_NID
Found place for name entry
wolfSSL Entering wolfSSL_X509_NAME_ENTRY_free
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeAltNames
Certificate Policy extension not supported.
No CA signer to verify with
Failed to verify Peer's cert
        Callback override available, will continue
wolfSSL Entering wolfSSL_X509_set_issuer_name
wolfSSL Entering wolfSSL_X509_NAME_copy
wolfSSL Entering wolfSSL_X509_set_subject_name
wolfSSL Entering wolfSSL_X509_NAME_copy
wolfSSL Entering wolfSSL_X509_STORE_CTX_new_ex
wolfSSL Entering wolfSSL_X509_STORE_CTX_init
wolfSSL Entering wolfSSL_X509_set_issuer_name
wolfSSL Entering wolfSSL_X509_NAME_copy
wolfSSL Entering wolfSSL_X509_set_subject_name
wolfSSL Entering wolfSSL_X509_NAME_copy
Unable to copy to ssl->peerCert
wolfSSL Entering wolfSSL_ERR_error_string
In verification callback, error = -188, certificate verify failed
wolfSSL Entering wolfSSL_X509_get_issuer_name
wolfSSL Entering wolfSSL_X509_NAME_oneline
Using static memory -- please pass in a buffer
wolfSSL Entering wolfSSL_X509_get_subject_name
wolfSSL Entering wolfSSL_X509_NAME_oneline
Using static memory -- please pass in a buffer
        Peer's cert info:
issuer : [none]
subject: [none]
        Subject's domain name at 0 is xxxxxxx




Please, what am I doing wrong?
From ethernet traffic, I see that I send Client Hello, after that I receive Server Hello, Certificate, Certificate Requesr, Server Hello Done, but I reply with Unknown CA.
Thank you

Isabella