Topic: Looking for OpenSSL alternative

When writing test drivers for security-related middleware OpenSSL is a real pain because of its insufficient and sometimes misleading error messages. E.g. "SSL3_READ_BYTES:sslv3 alert bad certificate" gives no clue whether the certificate is expired, path validation failed or a certificate is corrupt. Other software packages that are based on OpenSSL sometime blame OpenSSL for poor error reporting.

Is yaSSL an alternative with better error reporting? Would error reporting be better if using the compatibility layer?

- Rainer


Re: Looking for OpenSSL alternative

Hi Rainer,

Thanks for taking a look at CyaSSL.  We have tried to make our error codes user friendly.  Typically many of the CyaSSL API functions will return SSL_SUCCESS or SSL_FAILURE, where subsequently the application can call CyaSSL_get_error(...) to retrieve the more specific error code.  Our documentation covers more details about error codes in Chapter 8 ( … gging.html).

In the case of certificate verification, CyaSSL handles all verification internally and will give a -155, ASN_SIG_CONFIRM_E (ASN sig error) if verification of a peer certificate fails.  Optionally CyaSSL allows the application to register its own verify callback which will be called when verification fails.  This callback will be presented a more detailed error code related to the failure reason (dates, signer, etc.).

Our OpenSSL compatibility layer maps roughly 300 of OpenSSL's most commonly used functions to the native CyaSSL API.  It was designed to make porting applications over from OpenSSL easier.  As OpenSSL has over 4,000 functions, it's only a subset and is continually growing as we do more ports into existing applications.  We encourage users to use the native CyaSSL API if possible, as footprint size is increased when enabling the compatibility layer.  I believe that error codes will be the same in either case.

Best Regards,

Re: Looking for OpenSSL alternative


wolfSSL has support for all the notes from @rhoerbe and more:

     ASN_PARSE_E        = -140,  /* ASN parsing error, invalid input */           
     ASN_VERSION_E      = -141,  /* ASN version error, invalid number */          
     ASN_GETINT_E       = -142,  /* ASN get big int error, invalid data */        
     ASN_RSA_KEY_E      = -143,  /* ASN key init error, invalid input */          
     ASN_OBJECT_ID_E    = -144,  /* ASN object id error, invalid id */            
     ASN_TAG_NULL_E     = -145,  /* ASN tag error, not null */                    
     ASN_EXPECT_0_E     = -146,  /* ASN expect error, not zero */                 
     ASN_BITSTR_E       = -147,  /* ASN bit string error, wrong id */             
     ASN_UNKNOWN_OID_E  = -148,  /* ASN oid error, unknown sum id */              
     ASN_DATE_SZ_E      = -149,  /* ASN date error, bad size */                   
     ASN_BEFORE_DATE_E  = -150,  /* ASN date error, current date before */        
     ASN_AFTER_DATE_E   = -151,  /* ASN date error, current date after */         
     ASN_SIG_OID_E      = -152,  /* ASN signature error, mismatched oid */        
     ASN_TIME_E         = -153,  /* ASN time error, unknown time type */          
     ASN_INPUT_E        = -154,  /* ASN input error, not enough data */           
     ASN_SIG_CONFIRM_E  = -155,  /* ASN sig error, confirm failure */             
     ASN_SIG_HASH_E     = -156,  /* ASN sig error, unsupported hash type */       
     ASN_SIG_KEY_E      = -157,  /* ASN sig error, unsupported key type */        
     ASN_DH_KEY_E       = -158,  /* ASN key init error, invalid input */               
     ASN_NTRU_KEY_E     = -159,  /* ASN ntru key decode error, invalid input */
     ASN_CRIT_EXT_E     = -160,  /* ASN unsupported critical extension */ 
     ASN_ALT_NAME_E     = -161,  /* ASN alternate name error */                   
     ASN_NO_PEM_HEADER  = -162,  /* ASN no PEM header found */

To view other ASN error types see our error header here: … or-crypt.h