1 (edited by Vanger 2015-03-09 12:31:42)

Topic: [SOLVED] Equifax Certificate

Hey, so I saw your guys' library on mbed while looking for an SSL implementation and thought I would try it out. The settings for the mbed platform versus a standard OS were a little confusing to figure out, but I think I've gotten them all figure out at this point.
I'm workign with IoT solutions, and am currently trying to get a device to make an SSL connection to a server, but for some reason the root certificate from Equifax keeps giving error 188.
The cert path is:
Equifax > GeoTrust Global CA > GeoTrust SSL CA > nucleus-connect.axeda.com

From the basic mbed #define settings in settings.h I undefined the CMSIS_RTOS as I'm not using an RTOS; I defined SINGLE_THREADED as I'm not using a multi-threaded board (using the NucleoF401RE). I had to define USER_TIME and implement a time function for XTIME.

The client connects to the server and pulls down the certificates from the website (for some reason it pulls down 12 instead of the expected 3?), but when it goes through the certificate verifications it fails even though I'm pretty sure I included the correct CA certificate.

I'll attach the certificates I've tried as well as the log file from the connect session.

[HTTPClient : DBG]SSLver=3
CyaSSL Entering CYASSL_CTX_new
CyaSSL Entering CyaSSL_CertManagerNew
CyaSSL Leaving CYASSL_CTX_new, return 0
[HTTPClient : DBG]SSL connection set to verify peer and fail if no peer certificates available
CyaSSL Entering CyaSSL_CTX_set_verify
CyaSSL Entering CyaSSL_CTX_load_verify_buffer
Processing CA PEM file
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering DecodeAltNames
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeAuthInfo
Certificate Policy extension not supported yet.
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
CyaSSL Entering SSL_new
CyaSSL Leaving SSL_new, return 0
[HTTPClient : DBG]ctx=20002330, ssl=20002b98, ssl->ctx->CBIORecv, CBIOSend=80164f1, 801618d

CyaSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

received record layer msg
CyaSSL Entering DoHandShakeMsg()
CyaSSL Entering DoHandShakeMsgType
processing server hello
CyaSSL Entering VerifyClientSuite
CyaSSL Leaving DoHandShakeMsgType(), return 0
CyaSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
CyaSSL Entering DoHandShakeMsg()
CyaSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering GetAlgoId
About to verify certificate signature
Verified CA from chain and already had it
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
    info: OPTIONAL item 0, not available

CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
    info: OPTIONAL item 0, not available

CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
Verifying Peer's cert
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering DecodeAltNames
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeAuthInfo
Certificate Policy extension not supported yet.
CyaSSL Entering GetAlgoId
About to verify certificate signature
Verified Peer's cert
growing output buffer

Shrinking output buffer

CyaSSL Leaving DoHandShakeMsgType(), return -188
CyaSSL Leaving DoHandShakeMsg(), return -188
CyaSSL error occured, error = -188
[HTTPClient : ERR]SSL_connect failed
CyaSSL Entering SSL_get_error
CyaSSL Leaving SSL_get_error, return -188
CyaSSL Entering ERR_error_string
Failed to get error code [-188], Reason: [ASN no signer error to confirm failure]
CyaSSL Entering SSL_free
CTX ref count not 0 yet, no free
Shrinking input buffer

CyaSSL Leaving SSL_free, return 0
CyaSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
CyaSSL Entering CyaSSL_CertManagerFree
CyaSSL Leaving SSL_CTX_free, return 0
CyaSSL Entering CyaSSL_Cleanup
Post's attachments

Downloads.zip 6 kb, 3 downloads since 2015-01-16 

You don't have the permssions to download the attachments of this post.

Share

Re: [SOLVED] Equifax Certificate

Using the same Equifax certificate with https://www.google.com:443 works for certificate verification, but fails on an error 326:"record layer version error"
Is there something I'm missing for using the certificate properly? Is there a way to check if the server wants a client certificate to verify the client? Are there some settings that would cause this error to occur?

Share

Re: [SOLVED] Equifax Certificate

The certificate chain is actually 12 certs long.  You can use openSSL to see that:

openssl s_client -showcerts -connect nucleus-connect.axeda.com:443 -CApath /etc/ssl/certs/

I'm working with Vanger on this issue.  I've gotten past the -188 error after giving the entire chain to the library.  Now I'm getting a -155.  I turned on the logging in the ssl library and have the following trace:

[HTTPClient : DBG]Connecting socket to server
[INFO] Opened TCP Socket [nucleus-connect.axeda.com:443]
[HTTPClient : DBG]SSLver=3
CyaSSL Entering CYASSL_CTX_new
CyaSSL Entering CyaSSL_CertManagerNew
CyaSSL Leaving CYASSL_CTX_new, return 0
CyaSSL Entering CyaSSL_CTX_load_verify_buffer
Processing CA PEM file
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering DecodeAltNames
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeAuthInfo
Certificate Policy extension not supported yet.
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
    info: OPTIONAL item 0, not available

CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering GetAlgoId
    Parsed new CA
    Already have this CA, not adding again
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering GetAlgoId
    Parsed new CA
    Already have this CA, not adding again
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering GetAlgoId
    Parsed new CA
    Already have this CA, not adding again
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
    info: OPTIONAL item 0, not available

CyaSSL Entering GetAlgoId
    Parsed new CA
    Already have this CA, not adding again
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
[HTTPClient : DBG]SSL connection set to verify peer if certificates available
CyaSSL Entering CyaSSL_CTX_set_verify
CyaSSL Entering SSL_new
CyaSSL Leaving SSL_new, return 0
[HTTPClient : DBG]ctx=20014e58, ssl=20010668, ssl->ctx->CBIORecv, CBIOSend=801582d, 80157e9

CyaSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

received record layer msg
CyaSSL Entering DoHandShakeMsg()
CyaSSL Entering DoHandShakeMsgType
processing server hello
CyaSSL Entering VerifyClientSuite
CyaSSL Leaving DoHandShakeMsgType(), return 0
CyaSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
CyaSSL Entering DoHandShakeMsg()
CyaSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
    info: OPTIONAL item 0, not available

CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering GetAlgoId
About to verify certificate signature
Rsa SSL verify error
Confirm signature failed
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering GetAlgoId
About to verify certificate signature
Rsa SSL verify error
Confirm signature failed
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering GetAlgoId
About to verify certificate signature
Rsa SSL verify error
Confirm signature failed
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering GetAlgoId
About to verify certificate signature
Rsa SSL verify error
Confirm signature failed
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering GetAlgoId
About to verify certificate signature
Rsa SSL verify error
Confirm signature failed
Failed to verify CA from chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeAltNames
    Unsupported name type, skipping
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
    info: OPTIONAL item 0, not available

CyaSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
Verifying Peer's cert
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering DecodeAltNames
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeAuthInfo
Certificate Policy extension not supported yet.
CyaSSL Entering GetAlgoId
About to verify certificate signature
Rsa SSL verify error
Confirm signature failed
Failed to verify Peer's cert
    No callback override available, fatal
CyaSSL Leaving DoHandShakeMsgType(), return -155
CyaSSL Leaving DoHandShakeMsg(), return -155
CyaSSL error occured, error = -155
[HTTPClient : ERR]SSL_connect failed
CyaSSL Entering SSL_get_error
CyaSSL Leaving SSL_get_error, return -155
CyaSSL Entering ERR_error_string
Error code [-155] is [ASN sig error, confirm failure]
CyaSSL Entering SSL_free
CTX ref count not 0 yet, no free
Shrinking input buffer

CyaSSL Leaving SSL_free, return 0
CyaSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
CyaSSL Entering CyaSSL_CertManagerFree
CyaSSL Leaving SSL_CTX_free, return 0
CyaSSL Entering CyaSSL_Cleanup
[INFO] HTTPS POST failed [HTTP_CONN]

I'm curious about the "Certificate Policy extension not supported yet." line close to the end of the trace.  This seems to be caused by the function DecodeAuthInfo(), which has a comment stating "Only supporting URIs right now."  I see this function failing (with the corresponding log message) a few times in the trace, but the rest of the time it seems to be succeeding.  Can you shed some light on this?  Specifically, is this the cause of our problem or just a side effect?  Here is the cert chain we're using:

I had to remove URLs from the comments before each cert in order to post this.

vector<string> certs;

void init_certs() {
    certs.push_back(
    //0 s:/serialNumber=xyPwLKIHpSllSZfIv7-CkSqOMbb9wSCf/C=US/ST=Massachusetts/L=Foxboro/O=Axeda Corporation/OU=Axeda Hosting/CN=nucleus-connect.axeda.com
    //   i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
    "-----BEGIN CERTIFICATE-----\r\n"
    "MIIFHzCCBAegAwIBAgIDAtokMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT\r\n"
    "MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM\r\n"
    "IENBMB4XDTE0MDQyNzA5MTY0M1oXDTE1MDQyOTIyMTc0OFowgboxKTAnBgNVBAUT\r\n"
    "IHh5UHdMS0lIcFNsbFNaZkl2Ny1Da1NxT01iYjl3U0NmMQswCQYDVQQGEwJVUzEW\r\n"
    "MBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHRm94Ym9ybzEaMBgGA1UE\r\n"
    "ChMRQXhlZGEgQ29ycG9yYXRpb24xFjAUBgNVBAsTDUF4ZWRhIEhvc3RpbmcxIjAg\r\n"
    "BgNVBAMTGW51Y2xldXMtY29ubmVjdC5heGVkYS5jb20wggEiMA0GCSqGSIb3DQEB\r\n"
    "AQUAA4IBDwAwggEKAoIBAQDLho01WLMt1cpK6uRumj9kcbAq4bjF7kyz6G634Xi+\r\n"
    "5KyxP9Zzrp01AS1th+WHKCmDK+hJXor76GD7QZE+mAyS+3YWAhI6TfWRaF1LdMwp\r\n"
    "qN5yefkMzlQelp1D3fo2lTkuOmfwPGp9r+1cyJjeUo/KLD9zs1wjWdd5XTZYKlGh\r\n"
    "0DN7Vxvn1BlbLGWWL+jCO+kcve5PZrdQ9SfjzKZjMac0hH4cOkx8pNmAwDAz2azn\r\n"
    "HlNXxx80a5LH05/+VY/pSRhQcItj5jdF+BgtVkjuoMWdy/v57qv9jpDE6hvHWN+p\r\n"
    "umsZ/txiesdMY6ZVjH2D6i1Qy81LM1vcbVyVPVc9XVcNAgMBAAGjggGlMIIBoTAf\r\n"
    "BgNVHSMEGDAWgBRCeVQbYc1VKz5j1TxIV/Wf+0XOSjAOBgNVHQ8BAf8EBAMCBLAw\r\n"
    "HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCQGA1UdEQQdMBuCGW51Y2xl\r\n"
    "dXMtY29ubmVjdC5heGVkYS5jb20wPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2d0\r\n"
    "c3NsLWNybC5nZW90cnVzdC5jb20vY3Jscy9ndHNzbC5jcmwwHQYDVR0OBBYEFDqk\r\n"
    "jHdMa4EzPTCjuIaDaKFcAsCBMAwGA1UdEwEB/wQCMAAwbwYIKwYBBQUHAQEEYzBh\r\n"
    "MCoGCCsGAQUFBzABhh5odHRwOi8vZ3Rzc2wtb2NzcC5nZW90cnVzdC5jb20wMwYI\r\n"
    "KwYBBQUHMAKGJ2h0dHA6Ly9ndHNzbC1haWEuZ2VvdHJ1c3QuY29tL2d0c3NsLmNy\r\n"
    "dDBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggrBgEFBQcCARYlaHR0cDov\r\n"
    "L3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczANBgkqhkiG9w0BAQUFAAOC\r\n"
    "AQEAJoxPO9TMulDkR1z1w7sCrrfNRbC3/J/cHPq0DWXk/SptjFRoohqp9g0UrPm5\r\n"
    "8zhmgKuYWlhBFjHBBU35w1AFzbFjw/Yyz3oJ4CbcvwE8GskS+cNxj426oHcTPvbF\r\n"
    "I7nZ9d5X0DB7+i/Bj/ZOtiKeDsw0Xc9+OpTxo/dTlk2VmRlhEYUrXozY2XvYgZew\r\n"
    "JWOVwbclRsZrb7jNIV7Ft2TT/rWgxgE4qxwY0027cSeuZARIezYtN7DR9TKGxYZm\r\n"
    "QQDJB/eQZI/4FocqrQqu1d8n4ccLGSrF4w9+LKgf4tK6SXzdtjW9ImMwWUVzwxTd\r\n"
    "w+AV1Aq6BW6t2jbD4LZGi5QG6A==\r\n"
    "-----END CERTIFICATE-----\r\n"
    );

    certs.push_back(
    // 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at CN=VeriSign Class 3 Secure Server CA
    //   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    "-----BEGIN CERTIFICATE-----\r\n"
    "MIIEnDCCBAWgAwIBAgIQdTN9mrDhIzuuLX3kRpFi1DANBgkqhkiG9w0BAQUFADBf\r\n"
    "MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT\r\n"
    "LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw\r\n"
    "HhcNMDUwMTE5MDAwMDAwWhcNMTUwMTE4MjM1OTU5WjCBsDELMAkGA1UEBhMCVVMx\r\n"
    "FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz\r\n"
    "dCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cu\r\n"
    "dmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMhVmVyaVNpZ24gQ2xhc3Mg\r\n"
    "MyBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\r\n"
    "AQEAlcMhEo5AxQ0BX3ZeZpTZcyxYGSK4yfx6OZAqd3J8HT732FXjr0LLhzAC3Fus\r\n"
    "cOa4RLQrNeuT0hcFfstG1lxToDJRnXRkWPkMmgDqXkRJZHL0zRDihQr5NO6ziGap\r\n"
    "paRa0A6Yf1gNK1K7hql+LvqySHyN2y1fAXWijQY7i7RhB8m+Ipn4G9G1V2YETTX0\r\n"
    "kXGWtZkIJZuXyDrzILHdnpgMSmO3ps6wAc74k2rzDG6fsemEe4GYQeaB3D0s57Rr\r\n"
    "4578CBbXs9W5ZhKZfG1xyE2+xw/j+zet1XWHIWuG0EQUWlR5OZZpVsm5Mc2JYVjh\r\n"
    "2XYFBa33uQKvp/1HkaIiNFox0QIDAQABo4IBgTCCAX0wEgYDVR0TAQH/BAgwBgEB\r\n"
    "/wIBADBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0\r\n"
    "dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwMQYDVR0fBCowKDAmoCSgIoYgaHR0\r\n"
    "cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMy5jcmwwDgYDVR0PAQH/BAQDAgEGMBEG\r\n"
    "CWCGSAGG+EIBAQQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRQ2xhc3Mz\r\n"
    "Q0EyMDQ4LTEtNDUwHQYDVR0OBBYEFG/sr6DdiqTv9SoQZy0/VYK81+8lMIGABgNV\r\n"
    "HSMEeTB3oWOkYTBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIElu\r\n"
    "Yy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlv\r\n"
    "biBBdXRob3JpdHmCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQEFBQADgYEA\r\n"
    "w34IRl2RNs9n3Nenr6+4IsOLBHTTsWC85v63RBKBWzFzFGNWxnIu0RoDQ1w4ClBK\r\n"
    "Tc3athmo9JkNr+P32PF1KGX2av6b9L1S2T/L2hbLpZ4ujmZSeD0m+v6UNohKlV4q\r\n"
    "TBnvbvqCPy0D79YoszcYz0KyNCFkR9MgazpM3OYDkAw=\r\n"
    "-----END CERTIFICATE-----\r\n"
    );

    certs.push_back(
    // 2 s:/C=US/ST=Massachusetts/L=Mansfield/O=Axeda Systems, Inc./CN=Axeda Systems CA/emailAddress=support@axeda.com
    //   i:/C=US/ST=Massachusetts/L=Mansfield/O=Axeda Systems, Inc./CN=Axeda Systems CA/emailAddress=support@axeda.com
    "-----BEGIN CERTIFICATE-----\r\n"
    "MIICmTCCAgICAQAwDQYJKoZIhvcNAQEEBQAwgZQxCzAJBgNVBAYTAlVTMRYwFAYD\r\n"
    "VQQIEw1NYXNzYWNodXNldHRzMRIwEAYDVQQHEwlNYW5zZmllbGQxHDAaBgNVBAoT\r\n"
    "E0F4ZWRhIFN5c3RlbXMsIEluYy4xGTAXBgNVBAMTEEF4ZWRhIFN5c3RlbXMgQ0Ex\r\n"
    "IDAeBgkqhkiG9w0BCQEWEXN1cHBvcnRAYXhlZGEuY29tMB4XDTAzMDExMDE3MzUy\r\n"
    "N1oXDTEzMDEwNzE3MzUyN1owgZQxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNz\r\n"
    "YWNodXNldHRzMRIwEAYDVQQHEwlNYW5zZmllbGQxHDAaBgNVBAoTE0F4ZWRhIFN5\r\n"
    "c3RlbXMsIEluYy4xGTAXBgNVBAMTEEF4ZWRhIFN5c3RlbXMgQ0ExIDAeBgkqhkiG\r\n"
    "9w0BCQEWEXN1cHBvcnRAYXhlZGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB\r\n"
    "iQKBgQD0VtQ82SdSI4QTwIWIXTya91GJ4IFZMwY3eXVkg3jpBwGGQFAk2yOAhITZ\r\n"
    "nQkZn5/JEifRJTvLhqq7AtFqkKG0bKza3jLFhMDh4q7nn5en1wWvMWQM8hSA7cBV\r\n"
    "DYbtsRObM8b7TiC8ZlxhN/6fZFiLyzX431Ppx2nSjyfpHK3oSQIDAQABMA0GCSqG\r\n"
    "SIb3DQEBBAUAA4GBAGav/orW9wQ7TvUiJV5IcpckJKQJrTd0M2XBu+iPwJ52+4pP\r\n"
    "SzJJ7zMdhUTEkxuWegz1L25DewZdnMBddtSK9/AcB6l7Ezqwfblr6cuLNduO9+MU\r\n"
    "29I/wb5gbC2vSppa/clLB7Cw/b7ypS+bTTIU9RbbOrtuKtyGGN3YCvXGKUgB\r\n"
    "-----END CERTIFICATE-----\r\n"
    );

    certs.push_back(
    // 3 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at CN=VeriSign Class 3 International Server CA - G3
    //   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
    "-----BEGIN CERTIFICATE-----\r\n"
    "MIIGKTCCBRGgAwIBAgIQZBvoIM4CCBPzLU0tldZ+ZzANBgkqhkiG9w0BAQUFADCB\r\n"
    "yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL\r\n"
    "ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp\r\n"
    "U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW\r\n"
    "ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0\r\n"
    "aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBvDEL\r\n"
    "MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW\r\n"
    "ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg\r\n"
    "aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMtVmVy\r\n"
    "aVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMIIBIjAN\r\n"
    "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmdacYvAV9IGaQQhZjxOdF8mfUdza\r\n"
    "sVLv/+NB3eDfxCjG4615HycQmLi7IJfBKERBD+qpqFLPTU4bi7u1xHbZzFYG7rNV\r\n"
    "ICreFY1xy1TIbxfNiQDk3P/hwB9ocenHKS5+vDv85burJlSLZpDN9pK5MSSAvJ5s\r\n"
    "1fx+0uFLjNxC+kRLX/gYtS4w9D0SmNNiBXNUppyiHb5SgzoHRsQ7AlYhv/JRT9Cm\r\n"
    "mTnprqU/iZucff5NYAclIPe712mDK4KTQzfZg0EbawurSmaET0qO3n40mY5o1so5\r\n"
    "BptMs5pITRNGtFghBMT7oE2sLktiEuP7TfbJUQABH/weaoEqOOC5T9YtRQIDAQAB\r\n"
    "o4ICFTCCAhEwEgYDVR0TAQH/BAgwBgEB/wIBADBwBgNVHSAEaTBnMGUGC2CGSAGG\r\n"
    "+EUBBxcDMFYwKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9j\r\n"
    "cHMwKgYIKwYBBQUHAgIwHhocaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAO\r\n"
    "BgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2Uv\r\n"
    "Z2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDov\r\n"
    "L2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwNAYDVR0lBC0wKwYIKwYBBQUH\r\n"
    "AwEGCCsGAQUFBwMCBglghkgBhvhCBAEGCmCGSAGG+EUBCAEwNAYIKwYBBQUHAQEE\r\n"
    "KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wNAYDVR0f\r\n"
    "BC0wKzApoCegJYYjaHR0cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMy1nNS5jcmww\r\n"
    "KAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEFZlcmlTaWduTVBLSS0yLTcwHQYDVR0O\r\n"
    "BBYEFNebfNgioBX33a1fzimbWMO8RgC1MB8GA1UdIwQYMBaAFH/TZafC3ey78DAJ\r\n"
    "80M5+gKvMzEzMA0GCSqGSIb3DQEBBQUAA4IBAQBxtX1zUkrd1000Ky6vlEalSVAC\r\n"
    "T/gvF3DyE9wfIYaqwk98NzzURniuXXhv0bpavBCrWDbFjGIVRWAXIeLVQqh3oVXY\r\n"
    "QwRR9m66SOZdTLdE0z6k1dYzmp8N5tdOlkSVWmzWoxZTDphDzqS4w2Z6BVxiEOgb\r\n"
    "Ett9LnZQ/9/XaxvMisxx+rNAVnwzeneUW/ULU/sOX7xo+68q7jA3eRaTJX9NEP9X\r\n"
    "+79uOzMh3nnchhdZLUNkt6Zmh+q8lkYZGoaLb9e3SQBb26O/KZru99MzrqP0nkzK\r\n"
    "XmnUG623kHdq2FlveasB+lXwiiFm5WVu/XzT3x7rfj8GkPsZC9MGAht4Q5mo\r\n"
    "-----END CERTIFICATE-----\r\n"
    );

    certs.push_back(
    // 4 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
    //   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
    "-----BEGIN CERTIFICATE-----\r\n"
    "MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB\r\n"
    "yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL\r\n"
    "ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp\r\n"
    "U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW\r\n"
    "ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0\r\n"
    "aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL\r\n"
    "MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW\r\n"
    "ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln\r\n"
    "biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp\r\n"
    "U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y\r\n"
    "aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1\r\n"
    "nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex\r\n"
    "t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz\r\n"
    "SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG\r\n"
    "BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+\r\n"
    "rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/\r\n"
    "NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E\r\n"
    "BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH\r\n"
    "BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy\r\n"
    "aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv\r\n"
    "MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE\r\n"
    "p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y\r\n"
    "5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK\r\n"
    "WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ\r\n"
    "4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N\r\n"
    "hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq\r\n"
    "-----END CERTIFICATE-----\r\n"
    );

    certs.push_back(
    // 5 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
    //   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    "-----BEGIN CERTIFICATE-----\r\n"
    "MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf\r\n"
    "MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT\r\n"
    "LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw\r\n"
    "HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx\r\n"
    "FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz\r\n"
    "dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv\r\n"
    "ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz\r\n"
    "IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi\r\n"
    "MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8\r\n"
    "RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb\r\n"
    "ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR\r\n"
    "TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/\r\n"
    "Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH\r\n"
    "iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB\r\n"
    "AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0\r\n"
    "dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9\r\n"
    "BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy\r\n"
    "aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI\r\n"
    "KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU\r\n"
    "j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t\r\n"
    "L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v\r\n"
    "b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC\r\n"
    "BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA\r\n"
    "A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K\r\n"
    "lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ\r\n"
    "tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/\r\n"
    "-----END CERTIFICATE-----\r\n"
    );

    certs.push_back(
    // 6 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at CN=VeriSign Class 3 Extended Validation SSL CA
    //   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
    "-----BEGIN CERTIFICATE-----\r\n"
    "MIIF5DCCBMygAwIBAgIQW3dZxheE4V7HJ8AylSkoazANBgkqhkiG9w0BAQUFADCB\r\n"
    "yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL\r\n"
    "ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp\r\n"
    "U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW\r\n"
    "ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0\r\n"
    "aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMTYxMTA3MjM1OTU5WjCBujEL\r\n"
    "MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW\r\n"
    "ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg\r\n"
    "aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMrVmVy\r\n"
    "aVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTCCASIwDQYJ\r\n"
    "KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjboFXrnP0XeeOabhQdsVuYI4cWbod2\r\n"
    "nLU4O7WgerQHYwkZ5iqISKnnnbYwWgiXDOyq5BZpcmIjmvt6VCiYxQwtt9citsj5\r\n"
    "OBfH3doxRpqUFI6e7nigtyLUSVSXTeV0W5K87Gws3+fBthsaVWtmCAN/Ra+aM/EQ\r\n"
    "wGyZSpIkMQht3QI+YXZ4eLbtfjeubPOJ4bfh3BXMt1afgKCxBX9ONxX/ty8ejwY4\r\n"
    "P1C3aSijtWZfNhpSSENmUt+ikk/TGGC+4+peGXEFv54cbGhyJW+ze3PJbb0S/5tB\r\n"
    "Ml706H7FC6NMZNFOvCYIZfsZl1h44TO/7Wg+sSdFb8Di7Jdp91zT91ECAwEAAaOC\r\n"
    "AdIwggHOMB0GA1UdDgQWBBT8ilC6nrklWntVhU+VAGOP6VhrQzASBgNVHRMBAf8E\r\n"
    "CDAGAQH/AgEAMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxodHRw\r\n"
    "czovL3d3dy52ZXJpc2lnbi5jb20vY3BzMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6\r\n"
    "Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB\r\n"
    "/wQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZ\r\n"
    "MFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7\r\n"
    "GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwKQYDVR0R\r\n"
    "BCIwIKQeMBwxGjAYBgNVBAMTEUNsYXNzM0NBMjA0OC0xLTQ3MD0GCCsGAQUFBwEB\r\n"
    "BDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL0VWU2VjdXJlLW9jc3AudmVyaXNpZ24u\r\n"
    "Y29tMB8GA1UdIwQYMBaAFH/TZafC3ey78DAJ80M5+gKvMzEzMA0GCSqGSIb3DQEB\r\n"
    "BQUAA4IBAQCWovp/5j3t1CvOtxU/wHIDX4u6FpAl98KD2Md1NGNoElMMU4l7yVYJ\r\n"
    "p8M2RE4O0GJis4b66KGbNGeNUyIXPv2s7mcuQ+JdfzOE8qJwwG6Cl8A0/SXGI3/t\r\n"
    "5rDFV0OEst4t8dD2SB8UcVeyrDHhlyQjyRNddOVG7wl8nuGZMQoIeRuPcZ8XZsg4\r\n"
    "z+6Ml7YGuXNG5NOUweVgtSV1LdlpMezNlsOjdv3odESsErlNv1HoudRETifLriDR\r\n"
    "fip8tmNHnna6l9AW5wtsbfdDbzMLKTB3+p359U64drPNGLT5IO892+bKrZvQTtKH\r\n"
    "qQ2mRHNQ3XBb7a1+Srwi1agm5MKFIA3Z\r\n"
    "-----END CERTIFICATE-----\r\n"
    );

    certs.push_back(
    // 7 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
    //   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    "-----BEGIN CERTIFICATE-----\r\n"
    "MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf\r\n"
    "MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT\r\n"
    "LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw\r\n"
    "HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx\r\n"
    "FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz\r\n"
    "dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv\r\n"
    "ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz\r\n"
    "IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi\r\n"
    "MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8\r\n"
    "RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb\r\n"
    "ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR\r\n"
    "TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/\r\n"
    "Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH\r\n"
    "iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB\r\n"
    "AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0\r\n"
    "dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9\r\n"
    "BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy\r\n"
    "aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI\r\n"
    "KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU\r\n"
    "j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t\r\n"
    "L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v\r\n"
    "b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC\r\n"
    "BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA\r\n"
    "A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K\r\n"
    "lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ\r\n"
    "tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/\r\n"
    "-----END CERTIFICATE-----\r\n"
    );

    certs.push_back(
    // 8 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at CN=VeriSign Class 3 Extended Validation SSL SGC CA
    //   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
    "-----BEGIN CERTIFICATE-----\r\n"
    "MIIGHjCCBQagAwIBAgIQLEjdkw31WY75PJlUemDtQzANBgkqhkiG9w0BAQUFADCB\r\n"
    "yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL\r\n"
    "ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp\r\n"
    "U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW\r\n"
    "ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0\r\n"
    "aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMTYxMTA3MjM1OTU5WjCBvjEL\r\n"
    "MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW\r\n"
    "ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg\r\n"
    "aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMvVmVy\r\n"
    "aVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0EwggEi\r\n"
    "MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9Voi6iDRkZM/NyrDu5xlzxXLZ\r\n"
    "u0W8taj/g74cA9vtibcuEBolvFXKQaGfC88ZXnC5XjlLnjEcX4euKqqoK6IbOxAj\r\n"
    "XxOx3QiMThTag4HjtYzjaO0kZ85Wtqybc5ZE24qMs9bwcZOO23FUSutzWWqPcFEs\r\n"
    "A5+X0cwRerxiDZUqyRx1V+n1x+q6hDXLx4VafuRN4RGXfQ4gNEXb8aIJ6+s9nriW\r\n"
    "Q140SwglHkMaotm3igE0PcP45a9PjP/NZfAjTsWXs1zakByChQ0GDcEitnsopAPD\r\n"
    "TFPRWLxyvAg5/KB2qKjpS26IPeOzMSWMcylIDjJ5Bu09Q/T25On8fb6OCNUfAgMB\r\n"
    "AAGjggIIMIICBDAdBgNVHQ4EFgQUTkPIHXbvN1N6T/JYb5TzOOLVvd8wEgYDVR0T\r\n"
    "AQH/BAgwBgEB/wIBADA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc\r\n"
    "aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczA9BgNVHR8ENjA0MDKgMKAuhixo\r\n"
    "dHRwOi8vRVZTZWN1cmUtY3JsLnZlcmlzaWduLmNvbS9wY2EzLWc1LmNybDAOBgNV\r\n"
    "HQ8BAf8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMG0GCCsGAQUFBwEMBGEwX6Fd\r\n"
    "oFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrU\r\n"
    "SBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMCkG\r\n"
    "A1UdEQQiMCCkHjAcMRowGAYDVQQDExFDbGFzczNDQTIwNDgtMS00ODAfBgNVHSME\r\n"
    "GDAWgBR/02Wnwt3su/AwCfNDOfoCrzMxMzA9BggrBgEFBQcBAQQxMC8wLQYIKwYB\r\n"
    "BQUHMAGGIWh0dHA6Ly9FVlNlY3VyZS1vY3NwLnZlcmlzaWduLmNvbTA0BgNVHSUE\r\n"
    "LTArBglghkgBhvhCBAEGCmCGSAGG+EUBCAEGCCsGAQUFBwMBBggrBgEFBQcDAjAN\r\n"
    "BgkqhkiG9w0BAQUFAAOCAQEAJ3SmNOodneFT1hydDKdbTKln8vAytwEP+0IYON7k\r\n"
    "7knIE8kL7ATDQHEYcnZDAiNdq3vISBQayHsd/PYKnzah0glzcWaWdVE0v5kwUWed\r\n"
    "VLcmRaxzCCOGJplx9I7X6jmbBgkjv2LdqMS2faSJBz7zba5AWVB5lzc9Mnh9smNL\r\n"
    "+eoIaQ4T7ejPu6wFhsoiz4hiXTwiSdhj1SSmve9c48wgOyLq/ETGqOUf4YbNDE2P\r\n"
    "k1PZf+6hCKezMJZJcG6jbD3QY+8lZmPMqrcYF07qcHb2ukKmgDcJTp9miC5rM2bI\r\n"
    "wHGkQeta4/wULkuI/a5uW2XpJ+S/5LAjwbJ9W2Il1z4Q1A==\r\n"
    "-----END CERTIFICATE-----\r\n"
    );

    certs.push_back(
    // 9 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
    //   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    "-----BEGIN CERTIFICATE-----\r\n"
    "MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf\r\n"
    "MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT\r\n"
    "LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw\r\n"
    "HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx\r\n"
    "FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz\r\n"
    "dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv\r\n"
    "ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz\r\n"
    "IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi\r\n"
    "MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8\r\n"
    "RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb\r\n"
    "ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR\r\n"
    "TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/\r\n"
    "Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH\r\n"
    "iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB\r\n"
    "AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0\r\n"
    "dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9\r\n"
    "BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy\r\n"
    "aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI\r\n"
    "KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU\r\n"
    "j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t\r\n"
    "L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v\r\n"
    "b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC\r\n"
    "BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA\r\n"
    "A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K\r\n"
    "lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ\r\n"
    "tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/\r\n"
    "-----END CERTIFICATE-----\r\n"
    );

    certs.push_back(
    //10 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at CN=VeriSign Class 3 Secure Server CA
    //   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    "-----BEGIN CERTIFICATE-----\r\n"
    "MIIEnDCCBAWgAwIBAgIQdTN9mrDhIzuuLX3kRpFi1DANBgkqhkiG9w0BAQUFADBf\r\n"
    "MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT\r\n"
    "LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw\r\n"
    "HhcNMDUwMTE5MDAwMDAwWhcNMTUwMTE4MjM1OTU5WjCBsDELMAkGA1UEBhMCVVMx\r\n"
    "FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz\r\n"
    "dCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cu\r\n"
    "dmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMhVmVyaVNpZ24gQ2xhc3Mg\r\n"
    "MyBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\r\n"
    "AQEAlcMhEo5AxQ0BX3ZeZpTZcyxYGSK4yfx6OZAqd3J8HT732FXjr0LLhzAC3Fus\r\n"
    "cOa4RLQrNeuT0hcFfstG1lxToDJRnXRkWPkMmgDqXkRJZHL0zRDihQr5NO6ziGap\r\n"
    "paRa0A6Yf1gNK1K7hql+LvqySHyN2y1fAXWijQY7i7RhB8m+Ipn4G9G1V2YETTX0\r\n"
    "kXGWtZkIJZuXyDrzILHdnpgMSmO3ps6wAc74k2rzDG6fsemEe4GYQeaB3D0s57Rr\r\n"
    "4578CBbXs9W5ZhKZfG1xyE2+xw/j+zet1XWHIWuG0EQUWlR5OZZpVsm5Mc2JYVjh\r\n"
    "2XYFBa33uQKvp/1HkaIiNFox0QIDAQABo4IBgTCCAX0wEgYDVR0TAQH/BAgwBgEB\r\n"
    "/wIBADBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0\r\n"
    "dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwMQYDVR0fBCowKDAmoCSgIoYgaHR0\r\n"
    "cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMy5jcmwwDgYDVR0PAQH/BAQDAgEGMBEG\r\n"
    "CWCGSAGG+EIBAQQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRQ2xhc3Mz\r\n"
    "Q0EyMDQ4LTEtNDUwHQYDVR0OBBYEFG/sr6DdiqTv9SoQZy0/VYK81+8lMIGABgNV\r\n"
    "HSMEeTB3oWOkYTBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIElu\r\n"
    "Yy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlv\r\n"
    "biBBdXRob3JpdHmCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQEFBQADgYEA\r\n"
    "w34IRl2RNs9n3Nenr6+4IsOLBHTTsWC85v63RBKBWzFzFGNWxnIu0RoDQ1w4ClBK\r\n"
    "Tc3athmo9JkNr+P32PF1KGX2av6b9L1S2T/L2hbLpZ4ujmZSeD0m+v6UNohKlV4q\r\n"
    "TBnvbvqCPy0D79YoszcYz0KyNCFkR9MgazpM3OYDkAw=\r\n"
    "-----END CERTIFICATE-----\r\n"
    );

    certs.push_back(
    //11 s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
    //   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    "-----BEGIN CERTIFICATE-----\r\n"
    "MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT\r\n"
    "MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i\r\n"
    "YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG\r\n"
    "EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0\r\n"
    "IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat\r\n"
    "cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu\r\n"
    "FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR\r\n"
    "8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh\r\n"
    "dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50\r\n"
    "96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN\r\n"
    "d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5\r\n"
    "VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4\r\n"
    "ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov\r\n"
    "L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE\r\n"
    "KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI\r\n"
    "hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji\r\n"
    "J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES\r\n"
    "0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk\r\n"
    "2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V\r\n"
    "4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE\r\n"
    "TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ=\r\n"
    "-----END CERTIFICATE-----\r\n"
    );
}

These certs are all appended and provided to the CyaSSL_CTX_load_verify_buffer().

Share

Re: [SOLVED] Equifax Certificate

TL;DR: You need to rebuild wolfSSL with MAX_CHAIN_DEPTH set to 12. Given your server's certificate chain, you need to load as CA certificates both the "GeoTrust Global CA" and VeriSign's "Class 3 Public Primary Certification Authority", not the Equinox certificate. And your server's certificate chain has a certificate named "Axeda Systems CA" which is expired.


mfiore02 wrote:

I'm curious about the "Certificate Policy extension not supported yet." line close to the end of the trace.  This seems to be caused by the function DecodeAuthInfo(), which has a comment stating "Only supporting URIs right now."  I see this function failing (with the corresponding log message) a few times in the trace, but the rest of the time it seems to be succeeding.  Can you shed some light on this?  Specifically, is this the cause of our problem or just a side effect?

Red herring. The function DecodeAuthInfo() is parsing the Authority Info Access extension which lists things like OCSP servers. We only parse out the URL for an OCSP lookup. The Certificate Policy extension string you are seeing is output by the function DecodeCertExtensions() when it sees the Certificate Policy extension. There is a SEP profile that uses that extension to put IDs for devices in it. Normally we ignore the extension.


When processing the peer’s certificate chain provided in the Certificate handshake message, we only process up to MAX_CHAIN_DEPTH certificates from the peer; by default that constant is set to 9. The cert chain is:

0: peer cert from Axeda Hosting, signed by GeoTrust SSL CA
1: VeriSign Trust Network, signed by Verisign’s Class 3 Public Primary CA
2: Axeda System CA, self signed
3 to 10: A bunch of VeriSign certificates
11: GeoTrust SSL CA, signed by GeoTrust Global CA

Certificate 11’s Authority Key Identifier is C0:7A:98:68:... which matches the GeoTrust Global CA’s Subject Key ID, not the Equifax certificate you are using as your CA.

When I use our example client to connect to your server with the command

% ./examples/client/client -p 443 -g -h nucleus-connect.axeda.com

I get error -368, Maximum Chain Depth Exceeded. I changed MAX_CHAIN_DEPTH to 12 and get error -188, No Signer. Then I use the GeoTrust Global CA,

% ./examples/client/client -p 443 -g -h nucleus-connect.axeda.com -A GeoTrustGlobalCA.pem

And I also got error -188, No Signer. That was because all the unused VeriSign certificates needed a CA as well. I grabbed VeriSign's “Class 3 Public Primary Certification Authority” certificate from my keychain and appended it to my local copy of the GeoTrust CA in a file called certs.pem. So,

% ./examples/client/client -p 443 -g -h nucleus-connect.axeda.com -A certs.pem

I get error -151, ASN Date Error, Current Date After. One of the certs in the chain has an expired certificate. It looks like certificate 2, "CN=Axeda Systems CA" expired on Jan 7, 2013.

I hope that helps.

Re: [SOLVED] Equifax Certificate

That is incredibly helpful!  Thanks so much!

I have one more question.  When I test against this same server using Curl or OpenSSL, the connection is allowed, even though 1 (or more) of the certificates in the chain have expired.  I don't know enough about the SSL spec to know if this is bad behavior or not, but I'd assume not since those are both very mainstream tools.  Is there a way to get the Cyassl library to behave in the same way?

Share

Re: [SOLVED] Equifax Certificate

I don't have a good answer without guessing.

Your curl is probably building against OpenSSL. The TLS spec says to have in the chain the certificate, and all signers, in order, up to the CA certificate which should be already loaded. (See RFC5246 §7.4.2.) wolfSSL copies the certificates into an array in order, and then processes the certificates starting with the last one back up to the peer's certificate. We try to process them all. It looks like they are ignoring the extra certificates.

Re: [SOLVED] Equifax Certificate

Hey John,
     your advice on the axeda connection worked with changing the cert chain length and (after disabling the date verification), the connection was successful with the root certificates.
     I tested the library out on other websites (for understanding the process of the SSL socket setup better). I noticed that attempting to connect to google.com with the Equifax root certificate CA, the certificates seem to all be verified properly by the Cyassl library, but when the handshake finishes the client throws an error 326 "record layer version error". Is that something occurring with google.com specifically? Is that caused by some sort of #define settings being set improperly? Looking around, I ran into the same issue with yahoo.com (once I got all of the root certificates loaded), could it be a protocol issue with how sub-domains are being processed?

[TRACE] Created http client and http text
[TRACE] Loading certificates
[TRACE] Created http result
[TRACE] Testing HTTPS POST Request with Certificates
[INFO] Opened TCP Socket [www.google.com:443]
CyaSSL Entering CYASSL_CTX_new
CyaSSL Entering CyaSSL_CertManagerNew
CyaSSL Leaving CYASSL_CTX_new, return 0
CyaSSL Entering CyaSSL_CTX_load_verify_buffer
Processing CA PEM file
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeAuthInfo
Certificate Policy extension not supported yet.
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering DecodeAltNames
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeAuthKeyId
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeCrlDist
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
CyaSSL Entering GetAlgoId
    Parsed new CA
    Already have this CA, not adding again
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
CyaSSL Entering CyaSSL_CTX_set_verify
CyaSSL Entering SSL_new
CyaSSL Leaving SSL_new, return 0
CyaSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

received record layer msg
CyaSSL Entering DoHandShakeMsg()
CyaSSL Entering DoHandShakeMsgType
processing server hello
CyaSSL Entering VerifyClientSuite
CyaSSL Leaving DoHandShakeMsgType(), return 0
CyaSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
CyaSSL Entering DoHandShakeMsg()
CyaSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
CyaSSL Entering GetAlgoId
About to verify certificate signature
Issuer:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Subject:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Verified CA from chain and already had it
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeKeyUsage
CyaSSL Entering DecodeCrlDist
CyaSSL Entering DecodeAuthInfo
Certificate Policy extension not supported yet.
CyaSSL Entering GetAlgoId
About to verify certificate signature
Issuer:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Subject:/C=US/O=Google Inc/CN=Google Internet Authority G2
Verified CA from chain and already had it
Verifying Peer's cert
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
Got Cert Header
CyaSSL Entering GetAlgoId
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
CyaSSL Entering GetAlgoId
Got Key
Parsed Past Key
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeExtKeyUsage
CyaSSL Entering DecodeAltNames
CyaSSL Entering DecodeAuthInfo
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeAuthKeyId
Certificate Policy extension not supported yet.
CyaSSL Entering DecodeCrlDist
CyaSSL Entering GetAlgoId
About to verify certificate signature
Issuer:/C=US/O=Google Inc/CN=Google Internet Authority G2
Subject:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
Verified Peer's cert
CyaSSL Leaving DoHandShakeMsgType(), return 0
CyaSSL Leaving DoHandShakeMsg(), return 0
received record layer msg
CyaSSL Entering DoHandShakeMsg()
CyaSSL Entering DoHandShakeMsgType
processing server key exchange
CyaSSL Leaving DoHandShakeMsgType(), return 0
CyaSSL Leaving DoHandShakeMsg(), return 0
received record layer msg
CyaSSL Entering DoHandShakeMsg()
CyaSSL Entering DoHandShakeMsgType
processing server hello done
CyaSSL Leaving DoHandShakeMsgType(), return 0
CyaSSL Leaving DoHandShakeMsg(), return 0
connect state: HELLO_AGAIN
connect state: HELLO_AGAIN_REPLY
connect state: FIRST_REPLY_DONE
connect state: FIRST_REPLY_FIRST
growing output buffer

sent: client key exchange
connect state: FIRST_REPLY_SECOND
connect state: FIRST_REPLY_THIRD
growing output buffer

sent: change cipher spec
connect state: FIRST_REPLY_FOURTH
growing output buffer

Shrinking output buffer

sent: finished
connect state: FINISHED_DONE
SSL version error
CyaSSL error occured, error = -326
CyaSSL Entering SSL_get_error
CyaSSL Leaving SSL_get_error, return -326
CyaSSL Entering ERR_error_string
Error code [-326] is [record layer version error]
CyaSSL Entering SSL_free
CTX ref count not 0 yet, no free
Shrinking input buffer

CyaSSL Leaving SSL_free, return 0
CyaSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
CyaSSL Entering CyaSSL_CertManagerFree
CyaSSL Leaving SSL_CTX_free, return 0
CyaSSL Entering CyaSSL_Cleanup
Post's attachments

Google-SSL-Record Layer Error Log.txt 8.01 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Share

Re: [SOLVED] Equifax Certificate

Which "method" function are you using to make your CyaSSL_CTX object?

I can connect to Google with our example client using SSLv3 (0), TLSv1.0 (1), TLSv1.1 (2), and TLSv1.2 (3):

% ./examples/client/client -g -h www.google.com -p 443 -A equifax-for-google.pem -v 0
% ./examples/client/client -g -h www.google.com -p 443 -A equifax-for-google.pem -v 1
% ./examples/client/client -g -h www.google.com -p 443 -A equifax-for-google.pem -v 2
% ./examples/client/client -g -h www.google.com -p 443 -A equifax-for-google.pem -v 3

And I get the 404 response for each of those, decoded.

Could you capture the network traffic for the connection attempt using Wireshark?

Re: [SOLVED] Equifax Certificate

We have a switch statement to choose which method function based on user choice, but for testing purposes we are using:
SSLmethod = CyaTLSv1_2_client_method()

Wireshark would be hard to implement, as the connection is through a cellular modem attached to the NucleoF401RE board. (would need to proxy the connection through a server before connecting to google)

I can get logs of the data traffic being passed through the modem, but can't specifically use wireshark (easily at least).

When I was debugging before, the versions for the handshake were consistent right up until the last handshake FINISHED_DONE case, where the version(s) flipped from major 3, minor 3 to major 10, minor 78

Would raw data from the radio be useful? If so, I will pull it out of the connection attempt.
I can also insert print statements for various values that would be helpful of indicating the problem.

Share

Re: [SOLVED] Equifax Certificate

When you got the 10/78, were you printing out the version numbers from inside the DoFinished() function or were you looking at them in the data stream?

Have you tried the connection using the example client from the command line?

11 (edited by Vanger 2015-01-30 14:00:03)

Re: [SOLVED] Equifax Certificate

I was printing the version values from within GetRecordHeader(), as that is the location where the record header check is occuring.
I found that for all of the handshake operations (first_message, first_message_reply, second_message_reply, etc.) the versions for the record layer headers would be set to 3,3 inside of the XMEMCPY() operation (at the beginning of the GetRecordHeader() function).
For the final hanshake operation (FINISHED_DONE) the XMEMCPY() would write 10,78 as the values instead of 3,3.

I have not tried the example client from the command line, as I had to cut out those files in order to compile the library to mbed.org's online compiler.

I will proceed to run it and make sure that all of the files are working, but I don't see how the mbed code will be comparable with the linux build with only the source files being copied.

I will also attempt to get a log of printf statements on the record layer header data during the handshake exchange.

static int GetRecordHeader(CYASSL* ssl, const byte* input, word32* inOutIdx,
                           RecordLayerHeader* rh, word16 *size)
{
    if (!ssl->options.dtls) {
#ifdef HAVE_FUZZER
        if (ssl->fuzzerCb)
            ssl->fuzzerCb(ssl, input + *inOutIdx, RECORD_HEADER_SZ, FUZZ_HEAD,
                    ssl->fuzzerCtx);
#endif
        XMEMCPY(rh, input + *inOutIdx, RECORD_HEADER_SZ);
        *inOutIdx += RECORD_HEADER_SZ;
        ato16(rh->length, size);
    }
    else {
#ifdef CYASSL_DTLS
        /* type and version in same sport */
        XMEMCPY(rh, input + *inOutIdx, ENUM_LEN + VERSION_SZ);
        *inOutIdx += ENUM_LEN + VERSION_SZ;
        ato16(input + *inOutIdx, &ssl->keys.dtls_state.curEpoch);
        *inOutIdx += 4; /* advance past epoch, skip first 2 seq bytes for now */
        ato32(input + *inOutIdx, &ssl->keys.dtls_state.curSeq);
        *inOutIdx += 4;  /* advance past rest of seq */
        ato16(input + *inOutIdx, size);
        *inOutIdx += LENGTH_SZ;
#ifdef HAVE_FUZZER
        if (ssl->fuzzerCb)
            ssl->fuzzerCb(ssl, input + *inOutIdx - LENGTH_SZ - 8 - ENUM_LEN -
                           VERSION_SZ, ENUM_LEN + VERSION_SZ + 8 + LENGTH_SZ,
                           FUZZ_HEAD, ssl->fuzzerCtx);
#endif
#endif
    }
    printf("rh Major:%d, rh Minor:%d, client major:%d, client minor:%d\r\n",rh->pvMajor, rh->pvMinor, ssl->version.major, ssl->version.minor);
    /* catch version mismatch */
    if (rh->pvMajor != ssl->version.major || rh->pvMinor != ssl->version.minor){
        if (ssl->options.side == CYASSL_SERVER_END &&
            ssl->options.acceptState == ACCEPT_BEGIN)
            CYASSL_MSG("Client attempting to connect with different version");
        else if (ssl->options.side == CYASSL_CLIENT_END &&
                                 ssl->options.downgrade &&
                                 ssl->options.connectState < FIRST_REPLY_DONE)
            CYASSL_MSG("Server attempting to accept with different version");
        else {
            CYASSL_MSG("SSL version error");
            return VERSION_ERROR;              /* only use requested version */
        }
    }

Share

Re: [SOLVED] Equifax Certificate

I have built the test client example on linux and am able to get the 404 code from google.com when testing a GET request, but I am unable to get the client to load a certificate to use for verifying the google.com server.
I tried putting it in the <cyassl_roots>/certs/
folder, but it keeps giving me the error:
"yassl error: can't load ca file, Please run from CyaSSL home dir"

I am inside of the (cyassl_roots_ folder when I run the client command, so am I placing the certificate in the wrong location?

Share

Re: [SOLVED] Equifax Certificate

I figured out that I was using the wrong location for the certificate and that the test client ran perfectly on a linux VM; (got the 404 response http code from google.com both with and without certificate verification using the appropriate certs).

I'm going to try to pull more debug values from the client at various points of interest in the code, but I'm not sure what to be looking for/at.

Is there any code difference between connecting to say google.com versus wikipedia.org?
The library works consistently on certain websites and doesn't work consistently on the google.com and yahoo.com domains.
I would expect the code operates the same way for the SSL code regardless of which website it connects to, which would beg the question of what is different about the named websites that would cause a handshake failure, whereas the other websites are connecting just fine.

Share

Re: [SOLVED] Equifax Certificate

Pulling out the raw data values from the connection with google.com (using the mbed version of CyaSSL 3.3.0), I got the following read and write data calls to the radio:

=====
Sending to radio:
16 03 03 00 73 01 00 00 6F 03 03 9F 8A 7D DE AD 10 0C BC DB 10 A9 26 AC D4 1F 72 14 D3 92 88 74 72 DF F5 4C BD 72 04 81 B6 3E 15 00 00 38 C0 27 C0 23 C0 29 C0 25 C0 0A C0 05 C0 09 C0 04 C0 07 C0 02 C0 08 C0 03 C0 14 C0 0F C0 13 C0 0E C0 11 C0 0C C0 12 C0 0D 00 3D 00 3C 00 35 00 2F 00 05 00 04 00 0A 00 FD 01 00 00 0E 00 0D 00 0A 00 08 04 03 02 03 04 01 02 01
=====
=====
Reading from radio:

=====
=====
Reading from radio:

=====
=====
Reading from radio:

=====
=====
Reading from radio:
16 03 03 00 4A
=====
=====
Reading from radio:
02 00 00 46 03 03 54 CF A0 7E D6 86 A9 05 86 F5 09 97 82 7E E4 42 7D F6 63 EC 93 F9 D3 E9 8D 61 9F 22 D4 E2 68 5C 20 95 7B 1D 85 8E 9F 02 09 9B 75 FA F1 F0 CC 12 86 3C BE 74 9C CC 53 94 01 F1 A5 EC FD CF B4 B5 D9 C0 13 00
=====
=====
Reading from radio:
16 03 03 0B FF
=====
=====
Reading from radio:
0B 00 0B FB 00 0B F8 00 04 7A 30 82 04 76 30 82 03 5E A0 03 02 01 02 02 08 4F 7A AD DA AD 8F AD 31 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 49 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 0A 13 0A 47 6F 6F 67 6C 65 20 49 6E 63 31 25 30 23 06 03 55 04 03 13 1C 47 6F 6F 67 6C 65 20 49 6E 74 65 72 6E 65 74 20 41 75 74 68 6F 72 69 74 79 20 47 32 30 1E 17 0D 31 35 30 31 31 34 31 33 31 34 31 36 5A 17 0D 31 35 30 34 31 34 30 30 30 30 30 30 5A 30 68 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 0C 0A 43 61 6C 69 66 6F 72 6E 69 61 31 16 30 14 06 03 55 04 07 0C 0D 4D 6F 75 6E 74 61 69 6E 20 56 69 65 77 31 13 30 11 06 03 55 04 0A 0C 0A 47 6F 6F 67 6C 65 20 49 6E 63 31 17 30 15 06 03 55 04 03 0C 0E 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 AF 3A 5D 2C 9C B4 88 99 F2 9C 2C 8F FE EA F6 EB 28 8D F5 89 3A 2B 59 55 13 14 8D FF B9 7F 06 6D AD 50 0B 0A D2 6A AF 57 F7 82 0F 31 90 B3 F0 AB DB 38 35 22 7E 12 68 D0 F8 40 A3 F4 95 6A 4A EC BE B2 41 1D 8D DE 05 1B 89 2A AE 51 C1 88 C0 14 0A 24 67 26 99 02 5E 5E C8 39 44 62 E9 29 D9 A7 96 2D 8D 73 50 A8 CF E7 34 1F 4F 2B 3D 22 25 02 2C 57 D4 04 D6 F0 12 1A A4 13 A4 ED 88 25 24 AC C1 48 EE 56 D4 01 40 FF 7D 62 8B F8 EA 28 60 D6 DD F5 23 81 B8 E9 7F F7 8C 75 7B 02 1E D2 31 E9 9F 4B 8C F1 6C 42 C3 AB 7C 52 8C FD C7 DB 31 81 07 6B 64 39 8C E8 67 A0 9E 37 B9 65 39 74 04 DA 06 AC D6 99 D5 91 56 3B 95 5D 5B 6A CA 00 79 FC 25 2A 9D 8E A2 C1 64 CB 63 B4 20 2A DA FD 8C 88 75 C5 23 A2 0D 0D A5 2A 70 CF 14 42 B6 E1 C4 DC DB 9F 51 81 9C 73 09 15 CF 17 26 C7 FE EC AE 51 02 03 01 00 01 A3 82 01 41 30 82 01 3D 30 1D 06 03 55 1D 25 04 16 30 14 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 02 30 19 06 03 55 1D 11 04 12 30 10 82 0E 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 30 68 06 08 2B 06 01 05 05 07 01 01 04 5C 30 5A 30 2B 06 08 2B 06 01 05 05 07 30 02 86 1F 68 74 74 70 3A 2F 2F 70 6B 69 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 47 49 41 47 32 2E 63 72 74 30 2B 06 08 2B 06 01 05 05 07 30 01 86 1F 68 74 74 70 3A 2F 2F 63 6C 69 65 6E 74 73 31 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 6F 63 73 70 30 1D 06 03 55 1D 0E 04 16 04 14 3B F0 C2 54 CA 67 DF FA 02 33 E1 45 2B B1 CE 5B 91 E7 0E 99 30 0C 06 03 55 1D 13 01 01 FF 04 02 30 00 30 1F 06 03 55 1D 23 04 18 30 16 80 14 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A BA 5A 81 2F 30 17 06 03 55 1D 20 04 10 30 0E 30 0C 06 0A 2B 06 01 04 01 D6 79 02 05 01 30 30 06 03 55 1D 1F 04 29 30 27 30 25 A0 23 A0 21 86 1F 68 74 74 70 3A 2F 2F 70 6B 69 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 47 49 41 47 32 2E 63 72 6C 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 78 A4 19 93 2F 84 73 58 B1 B8 D9 93 C1 1F 6A 21 6F AC C4 7C FE FA E0 A1 80 A4 D8 04 45 17 0C F6 53 22 5E C1 EA D7 4F 78 7C 7C B1 D5 DC 0D E5 2A AE DE 0A B2 5A 0D F0 CB 40 09 FE 65 B5 98 55 03 EC 44 3A 36 7C 3C 50 C1 BB EC 05 A4 C9 53 D4 08 49 3C 5D 8B E9 CC C8 88 BF 82 1F 1A 6D B1 C6 82 28 D9 25 CD D7 7D F4 64 3D 32 B2 0B 2C A0 81 FD 91 2C EE 00 9C 44 BF D4 39 20 66 B8 6F C1 FC 08 FC DB E3 9B 3E 80 20 28 81 D8 C6 BA 7C 8E CB 47 8F 73 8B AF 97 C1 45 04 E2 FD C7 A9 BC 13 45 11 AC 40 D6 B1 E2 6D 73 AB 48 79 4E 2E 67 7A 35 85 2F C7 F9 13 48 86 A6 1D 84 99 3C B5 44 E5 CE 9D CC F3 D1 0F 62 E6 A9 77 75 8D 86 39 EA 35 54 3D D4 A2 AB D7 D7 75 48 EE BB 86 D2 AA B0 EA 27 1A 71 52 8A 7E 37 B8 10 B9 80 B0 71 05 5B 52 FC 5B 60 B4 A0 C1 D1 F8 A0 0B B4 35 7C 24 30 60 A6 BB 00 03 F4 30 82 03 F0 30 82 02 D8 A0 03 02 01 02 02 03 02 3A 76 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 42 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 16 30 14 06 03 55 04 0A 13 0D 47 65 6F 54 72 75 73 74 20 49 6E 63 2E 31 1B 30 19 06 03 55 04 03 13 12 47 65 6F 54 72 75 73 74 20 47 6C 6F 62 61 6C 20 43 41 30 1E 17 0D 31 33 30 34 30 35 31 35 31 35 35 35 5A 17 0D 31 36 31 32 33 31 32 33 35 39 35 39 5A 30 49 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 0A 13 0A 47 6F 6F 67 6C 65 20 49 6E 63 31 25 30 23 06 03 55 04 03 13 1C 47 6F 6F 67 6C 65 20 49 6E 74 65 72 6E 65 74 20 41 75 74 68 6F 72 69 74 79 20 47 32 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 9C 2A 04 77 5C D8 50 91 3A 06 A3 82 E0 D8 50 48 BC 89 3F F1 19 70 1A 88 46 7E E0 8F C5 F1 89 CE 21 EE 5A FE 61 0D B7 32 44 89 A0 74 0B 53 4F 55 A4 CE 82 62 95 EE EB 59 5F C6 E1 05 80 12 C4 5E 94 3F BC 5B 48 38 F4 53 F7 24 E6 FB 91 E9 15 C4 CF F4 53 0D F4 4A FC 9F 54 DE 7D BE A0 6B 6F 87 C0 D0 50 1F 28 30 03 40 DA 08 73 51 6C 7F FF 3A 3C A7 37 06 8E BD 4B 11 04 EB 7D 24 DE E6 F9 FC 31 71 FB 94 D5 60 F3 2E 4A AF 42 D2 CB EA C4 6A 1A B2 CC 53 DD 15 4B 8B 1F C8 19 61 1F CD 9D A8 3E 63 2B 84 35 69 65 84 C8 19 C5 46 22 F8 53 95 BE E3 80 4A 10 C6 2A EC BA 97 20 11 C7 39 99 10 04 A0 F0 61 7A 95 25 8C 4E 52 75 E2 B6 ED 08 CA 14 FC CE 22 6A B3 4E CF 46 03 97 97 03 7E C0 B1 DE 7B AF 45 33 CF BA 3E 71 B7 DE F4 25 25 C2 0D 35 89 9D 9D FB 0E 11 79 89 1E 37 C5 AF 8E 72 69 02 03 01 00 01 A3 81 E7 30 81 E4 30 1F 06 03 55 1D 23 04 18 30 16 80 14 C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 B8 CA CC 4E 30 1D 06 03 55 1D 0E 04 16 04 14 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A BA 5A 81 2F 30 12 06 03 55 1D 13 01 01 FF 04 08 30 06 01 01 FF 02 01 00 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 01 06 30 35 06 03 55 1D 1F 04 2E 30 2C 30 2A A0 28 A0 26 86 24 68 74 74 70 3A 2F 2F 67 2E 73 79 6D 63 62 2E 63 6F 6D 2F 63 72 6C 73 2F 67 74 67 6C 6F 62 61 6C 2E 63 72 6C 30 2E 06 08 2B 06 01 05 05 07 01 01 04 22 30 20 30 1E 06 08 2B 06 01 05 05 07 30 01 86 12 68 74 74 70 3A 2F 2F 67 2E 73 79 6D 63 64 2E 63 6F 6D 30 17 06 03 55 1D 20 04 10 30 0E 30 0C 06 0A 2B 06 01 04 01 D6 79 02 05 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 27 8C CF E9 C7 3B BE C0 6F E8 96 84 FB 9C 5C 5D 90 E4 77 DB 8B 32 60 9B 65 D8 85 26 B5 BA 9F 1E DE 64 4E 1F C6 C8 20 5B 09 9F AB A9 E0 09 34 45 A2 65 25 37 3D 7F 5A 6F 20 CC F9 FA F1 1D 8F 10 0C 02 3A C4 C9 01 76 96 BE 9B F9 15 D8 39 D1 C5 03 47 76 B8 8A 8C 31 D6 60 D5 E4 8F DB FA 3C C6 D5 98 28 F8 1C 8F 17 91 34 CB CB 52 7A D1 FB 3A 20 E4 E1 86 B1 D8 18 0F BE D6 87 64 8D C5 0A 25 42 51 EF B2 38 B8 E0 1D D0 E1 FC E6 F4 AF 46 BA EF C0 BF C5 B4 05 F5 94 75 0C FE A2 BE 02 BA EA 86 5B F9 35 B3 66 F5 C5 8D 85 A1 1A 23 77 1A 19 17 54 13 60 9F 0B E1 B4 9C 28 2A F9 AE 02 34 6D 25 93 9C 82 A8 17 7B F1 85 B0 D3 0F 58 E1 FB B1 FE 9C A1 A3 E8 FD C9 3F F4 D7 71 DC BD 8C A4 19 E0 21 23 23 55 13 8F A4 16 02 09 7E B9 AF EE DB 53 64 BD 71 2F B9 39 CE 30 B7 B4 BC 54 E0 47 07 00 03 81 30 82 03 7D 30 82 02 E6 A0 03 02 01 02 02 03 12 BB E6 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 4E 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 10 30 0E 06 03 55 04 0A 13 07 45 71 75 69 66 61 78 31 2D 30 2B 06 03 55 04 0B 13 24 45 71 75 69 66 61 78 20 53 65 63 75 72 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 30 32 30 35 32 31 30 34 30 30 30 30 5A 17 0D 31 38 30 38 32 31 30 34 30 30 30 30 5A 30 42 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 16 30 14 06 03 55 04 0A 13 0D 47 65 6F 54 72 75 73 74 20 49 6E 63 2E 31 1B 30 19 06 03 55 04 03 13 12 47 65 6F 54 72 75 73 74 20 47 6C 6F 62 61 6C 20 43 41 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 DA CC 18 63 30 FD F4 17 23 1A 56 7E 5B DF 3C 6C 38 E4 71 B7 78 91 D4 BC A1 D8 4C F8 A8 43 B6 03 E9 4D 21 07 08 88 DA 58 2F 66 39 29 BD 05 78 8B 9D 38 E8 05 B7 6A 7E 71 A4 E6 C4 60 A6 B0 EF 80 E4 89 28 0F 9E 25 D6 ED 83 F3 AD A6 91 C7 98 C9 42 18 35 14 9D AD 98 46 92 2E 4F CA F1 87 43 C1 16 95 57 2D 50 EF 89 2D 80 7A 57 AD F2 EE 5F 6B D2 00 8D B9 14 F8 14 15 35 D9 C0 46 A3 7B 72 C8 91 BF C9 55 2B CD D0 97 3E 9C 26 64 CC DF CE 83 19 71 CA 4E E6 D4 D5 7B A9 19 CD 55 DE C8 EC D2 5E 38 53 E5 5C 4F 8C 2D FE 50 23 36 FC 66 E6 CB 8E A4 39 19 00 B7 95 02 39 91 0B 0E FE 38 2E D1 1D 05 9A F6 4D 3E 6F 0F 07 1D AF 2C 1E 8F 60 39 E2 FA 36 53 13 39 D4 5E 26 2B DB 3D A8 14 BD 32 EB 18 03 28 52 04 71 E5 AB 33 3D E1 38 BB 07 36 84 62 9C 79 EA 16 30 F4 5F C0 2B E8 71 6B E4 F9 02 03 01 00 01 A3 81 F0 30 81 ED 30 1F 06 03 55 1D 23 04 18 30 16 80 14 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 98 90 9F D4 30 1D 06 03 55 1D 0E 04 16 04 14 C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 B8 CA CC 4E 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 01 06 30 3A 06 03 55 1D 1F 04 33 30 31 30 2F A0 2D A0 2B 86 29 68 74 74 70 3A 2F 2F 63 72 6C 2E 67 65 6F 74 72 75 73 74 2E 63 6F 6D 2F 63 72 6C 73 2F 73 65 63 75 72 65 63 61 2E 63 72 6C 30 4E 06 03 55 1D 20 04 47 30 45 30 43 06 04 55 1D 20 00 30 3B 30 39 06 08 2B 06 01 05 05 07 02 01 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 81 81 00 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12
=====
=====
Reading from radio:
16 03 03 01 4D
=====
=====
Reading from radio:
0C 00 01 49 03 00 17 41 04 49 26 7D 51 38 02 34 6E 72 FE C7 C2 BD D9 09 DB D4 AF 85 59 FD 20 22 63 B4 96 1C 26 CC 2B 49 DE 6F 55 0A EF 3C 4F A9 57 13 29 D7 00 E2 D5 F5 5B 16 E0 4A D5 D6 DB 57 2A 0D 9C 82 C1 07 3B 2F F5 04 01 01 00 8B A7 06 05 11 FD A5 00 8B C4 37 36 F1 15 76 A2 13 6C 90 74 D7 C4 A1 D3 DF 93 46 89 72 E6 2C F0 AD C3 FA 7B F4 89 AF A9 24 20 4A BA DA B4 2D EE 62 27 EF D4 A7 5D 58 D4 40 50 40 81 6C 28 D8 C8 D2 0A 8C 34 4D F3 3E EB B4 4B 50 9C 82 56 F5 2E 78 FD 13 52 78 BF 3B 8C 7D E6 ED 9C EE 19 90 5A 30 51 5B 20 9F BB 0F 59 C7 FC D7 07 D0 B1 54 AD 96 77 90 E0 C4 1E 96 9F 0B 57 BD AE A0 11 EF EA BC 0A F9 1A 33 61 54 E1 D6 02 F3 7D 0C EC 86 46 B3 84 6C 07 FC ED D2 16 91 1A BC 35 EA 38 13 D9 7B 8B 0A 6C 1F 8D 51 35 07 A6 05 B7 EE D9 49 6F 2C AD FE DA BA F6 A8 72 16 E2 04 E7 C3 1E 78 97 B8 C4 5D AC C1 91 35 CE 2C 43 6F B3 56 73 63 F5 9C 17 B0 D1 01 77 8D C2 62 36 17 68 13 87 0F 2B 92 77 E7 47 EA A4 9F 3D 53 C0 58 23 00 BE FC 4B D2 9F D1 F4 7F 78 C9 7D A3 AE BA 68 CA 89 01 E4
=====
=====
Reading from radio:
16 03 03 00 04
=====
=====
Reading from radio:
0E 00 00 00
=====
=====
Sending to radio:
16 03 03 00 46 10 00 00 42 41 04 2E 82 9E 87 6E C1 3A 13 0F 57 9D 06 0D 0B 13 29 A6 EB 5E A6 82 75 E9 8B 21 5A 42 28 6A 40 B1 4D 85 21 5F 45 90 90 D5 F5 42 2F DE B6 36 AE 28 BB 82 A3 6F 6D E5 49 DE 7C 19 60 1C C5 07 58 53 A3
=====
=====
Sending to radio:
14 03 03 00 01 01
=====
=====
Sending to radio:
16 03 03 00 40 C2 63 29 2E 60 0F D6 AE 41 E5 F5 CC 6B 6F 75 19 FD 71 96 0C 79 C6 E5 6C 4C BB 2F B3 05 49 87 EB C8 48 99 4F AF CB 4B B4 2D A1 6E 54 08 12 DB 27 DD 54 D8 E3 15 6E 37 1E F5 96 E9 C3 75 01 32 41
=====
=====
Reading from radio:
0D 0A 4E 4F 20
=====
Error code [-326] is [record layer version error]

Looking at just the raw data, it looks like the client initiates the connection with google with a record layer header of 16,03,03,00,73 and then waits for the response from the server.

The server responds with a record layer header of 16,03,03,00,4A followed by the data.

The server then sends another record layer header 16,03,03,0B,FF followed by the certificate for verifying google.

The server then sends another record layer message 16,03,03,01,4D (for another certificate in the chain?)

Etc, etc. The record layer headers are all fine up until the client sends a ClientKeyExchange message, after which the next record layer header received from the server is:  0D,0A,4E,4F,20  yikes

The client then runs through the "record layer version error" checking part of the code and exits.  sad

The options I can see that would cause this behavior would be:
A) The server is responding incorrectly (unlikely)
B) The server is encrypting the next record
C) The server is still sending data corresponding to the previous message sent
D) The read data is leftover from the buffer and wasn't cleared in some fashion

Option A is very unlikely as google.com works fine for other applications such as browsers and the like.
Option B is possible, but I don't know how one would check for that issue.
Option C might be possible, but unlikely as the client CyaSSL code works for other websites (axeda.com, twitter.com, wikipedia.org,httpbin.org)
Option D might be possible as well, which I will look into, but given the way the HTTPClient library for mbed works, I would expect it to be operating "ok" given the common IPStack interface for mbed applications.

Share

Re: [SOLVED] Equifax Certificate

Vanger wrote:

I'm going to try to pull more debug values from the client at various points of interest in the code, but I'm not sure what to be looking for/at.

Is there any code difference between connecting to say google.com versus wikipedia.org?
The library works consistently on certain websites and doesn't work consistently on the google.com and yahoo.com domains.
I would expect the code operates the same way for the SSL code regardless of which website it connects to, which would beg the question of what is different about the named websites that would cause a handshake failure, whereas the other websites are connecting just fine.

There shouldn't be any differences between connecting to any site. Except for the CA certificate you are loading to verify the server's certificate. Google, Wikipedia, and Yahoo! are all using different certificate issuers. Google is signed by GeoTrust, Wikipedia is signed by GlobalSign, and Yahoo! is signed by VeriSign.

Since I'm on a Mac, I get those certificates out of my KeyChain application. I save them and then covert them to PEM format, and concatenate them into a single file. With the wolfSSL client, I use the -A option to load that file.

Vanger wrote:

The record layer headers are all fine up until the client sends a ClientKeyExchange message, after which the next record layer header received from the server is:  0D,0A,4E,4F,20

That's not a record layer header from the server. That's the string "<CR><LF>NO<SPACE>". Is that part of the over-the-air protocol you are tunneling the SSL through? Is the rest of the line "CARRIER" or something? Or maybe it is your option D.

As for option B, the server should be sending a clear "Change Cipher Spec" message, followed by an encrypted Finished handshake message. For all TLS records, the record header is in the clear.

Re: [SOLVED] Equifax Certificate

I've been getting the correct certificates for the most part (sometimes the chain is a little confusing).
And thanks for the clarification on the Record Layer Header implementation. Going on the assumption that it is correct saves alot of time trying to debug the porting to mbed.

Yes, our radio sends back "NO CARRIER\r\n" in response to the TCP connection being disconnected by the radio.
I will look into that and see what's up with the radio disconnecting/leaving data in the buffer which would cause the cyassl library to read it as records.

Share

Re: [SOLVED] Equifax Certificate

Checking our code, we are clearing the read buffer each time it finishes reading the data from the radio. So, it's unlikely it is leftover from something else.
The radio is supposed to be printing a debug statement if it finds the "NO CARRIER\r\n" message indicating the radio closed the connection as well.

It could be the radio is sending unsolicited codes causing the issue, so I will check that and get back to you.

Share

Re: [SOLVED] Equifax Certificate

Modifying the timeout values on the radio causes it to encounter the same record layer error, but earlier in the handshake protocol, which would indicate that the record layer header issue is caused by the radio sending NO CARRIER. It is not getting picked up by the radio code to notify the program that the connection has been closed.

I will debug the buffer to see if there is unread data that would be the rest of the URC from the radio.

Do you know what the times between CyaSSL handshake messages are?
At this point, it seems like the issue is caused by a timeout either server-side or radio-side.

It seems like the library shouldn't be causing timeout issues with it being less than a second or two to run various code segments between outputting data to the server?

Share

Re: [SOLVED] Equifax Certificate

Is it possible that the google.com server is requesting a certificate to distinguish between clients that connect to it? And disconnecting when it doesn't get it?

Is there a way to tell the library to use a timeout on connections for trying to read the next record from the server? If so, where/how is it set?

Share

Re: [SOLVED] Equifax Certificate

Alright, I think I found the main issue going on. The debug prints were too slow, causing the remote host to timeout during the handshake. This in turn caused our modem to print messages to the data port which interfered with CyaSSL's handshake.
Thanks so much for all of your help with debugging the implementation of the library and the certificates John!

Share

Re: [SOLVED] Equifax Certificate

You're welcome.

To answer your questions:

Vanger wrote:

Do you know what the times between CyaSSL handshake messages are?
At this point, it seems like the issue is caused by a timeout either server-side or radio-side.
It seems like the library shouldn't be causing timeout issues with it being less than a second or two to run various code segments between outputting data to the server?

It all depends on how fast your hardware is and what cipher suites you are using. The public key cryptography is slow. On a desktop PC you'd probably never see any kind of delay, but on an embedded device the RSA operation could take hundreds of milliseconds. The point in the handshake where your device was timing out was after the public key operations. I don't think Google is timing out; I added in a 3 second delay right before my client sends its Change Cipher Spec message and Google still finished the handshake.

There isn't a timeout on the handshake. If the socket closes then we'll get an error from the recv() and tear down the session.

Vanger wrote:

Is it possible that the google.com server is requesting a certificate to distinguish between clients that connect to it?

Public web servers are commonly configured to use anonymous clients without their own certificates. The server would send a Certificate Request handshake message to the client in the non-anonymous case, and from your logs there wasn't any evidence of Google doing that.

Vanger wrote:

Is there a way to tell the library to use a timeout on connections for trying to read the next record from the server? If so, where/how is it set?

This would be accomplished by setting a timeout on the socket, or using non-blocking sockets and calling select() on the socket. Or using custom I/O routines with CyaSSL (wolfSSL).

Re: [SOLVED] Equifax Certificate

Yes, you are right. When I said "remote host" I merely meant that the socket connection through the modem was being disconnected from timing out.
Good to know that the handshake code is time-independent on wolfSSL's side. smile
You're right, there wasn't a cert. request from the server.
Ok, so using a socket timeout on the hardware-side is alright then.

Share