1 (edited by earlenceferns 2016-07-13 13:40:51)

Topic: Bad Cert Status Message Error

I'm testing out some OCSP code with mozilla.org
I've loaded up the Mozilla CA cert (DigiCert_High_Assurance_EV_Root_CA.pem)

Based on what my browser tells me, the chain for mozilla.org looks like:

GTE Cyber Trust Global Root -> Baltimore Cyber Trust Root -> Digi Cert High Assurance Root -> Digi Cert SHA2 Extended Validation Server CA -> mozilla.org

(1) if I try with the GTE root, I get this error msg:
wolfSSL Entering WOLFSSL_CTX_new
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_verify
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Connected to mozilla.org:443!
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Leaving SSL_set_fd, return 1
wolfSSL Entering wolfSSL_CTX_EnableOCSP
wolfSSL Entering wolfSSL_CertManagerEnableOCSP
wolfSSL Entering InitOCSP
wolfSSL Entering wolfSSL_CTX_EnableOCSPStapling
wolfSSL Entering wolfSSL_CertManagerEnableOCSPStapling
wolfSSL Entering InitOCSP
wolfSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
Certificate Status Request extension received
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
    There are more CRL Distribution Point records, but we only use the first one.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
    There are more CRL Distribution Point records, but we only use the first one.
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
No CA signer to verify with
Failed to verify Peer's cert


(2) However, when I place DigiCert as the CA file, I get:

contacting mozilla.org
wolfSSL Entering WOLFSSL_CTX_new
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_verify
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
Connected to mozilla.org:443!
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Leaving SSL_set_fd, return 1
wolfSSL Entering wolfSSL_CTX_EnableOCSP
wolfSSL Entering wolfSSL_CertManagerEnableOCSP
wolfSSL Entering InitOCSP
wolfSSL Entering wolfSSL_CTX_EnableOCSPStapling
wolfSSL Entering wolfSSL_CertManagerEnableOCSPStapling
wolfSSL Entering InitOCSP
wolfSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
Certificate Status Request extension received
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
    There are more CRL Distribution Point records, but we only use the first one.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
Adding CA from chain
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
    There are more CRL Distribution Point records, but we only use the first one.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeCrlDist
    There are more CRL Distribution Point records, but we only use the first one.
wolfSSL Entering GetObjectId()
Certificate Policy extension not supported yet.
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
Verified Peer's cert
wolfSSL Entering InitOcspRequest
----------- date_override_cb -------------
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate status
wolfSSL Entering InitOcspResponse
wolfSSL Entering OcspResponseDecode
wolfSSL Entering GetEnumerated
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicOcspResponse
wolfSSL Entering DecodeResponseData
wolfSSL Entering GetBasicDate
wolfSSL Entering DecodeSingleResponse
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    OCSP Confirm signature failed
thisDate
    32 30 31 36 30 37 30 37 30 32 30 31 30 30 5a 00 | 20160707020100Z.
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
nextDate
    32 30 31 36 30 37 31 34 30 31 31 36 30 30 5a 00 | 20160714011600Z.
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
growing output buffer

Shrinking output buffer

wolfSSL Leaving DoHandShakeMsgType(), return -406
wolfSSL Leaving DoHandShakeMsg(), return -406
wolfSSL error occurred, error = -406
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -406
wolfSSL Entering ERR_error_string
SSL handshake error: Bad Certificate Status Message Error
wolfSSL Entering SSL_CTX_free
CTX ref count not 0 yet, no free
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup


Why does this happen? And why does this OCSP signature failed error come in the second case??

Share

Re: Bad Cert Status Message Error

Hi earlenceferns,

A fix for this issue is in progress in:

https://github.com/wolfSSL/wolfssl/pull/487

[ ]'s
Moisés

Share