1 Topic by ulysses (edited by ulysses 2020-01-03 08:12:40)

  • From: Pocos de Caldas - MG - Brazil
  • Registered: 2019-12-30
  • Posts: 12

Topic: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Hi,

I'm trying work with Wolfssl using FreeRTOS+TCP. My lib FreeRTOS+TCP is working well.
What i done:

I startup the wolfssl using a constant with the certificate.

    wolfSSL_Init();
    /* Attempt to create a context that uses the TLS 1.2 server protocol. */
    xWolfSSL_ClientContext = wolfSSL_CTX_new( wolfTLSv1_2_client_method() );
    configASSERT( xWolfSSL_ClientContext );

    /* Load the CA certificate. */
    lReturned = wolfSSL_CTX_load_verify_buffer(xWolfSSL_ClientContext, my_cert, sizeof(ca_cert_perm), SSL_FILETYPE_PEM);
    configASSERT( lReturned == SSL_SUCCESS );

    wolfSSL_SetIOSend(xWolfSSL_ClientContext, cbk_send);
    wolfSSL_SetIORecv(xWolfSSL_ClientContext, cbk_recv);

The certificate:

const unsigned char my_cert[] = {
        "-----BEGIN CERTIFICATE-----\n"
        "MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF\n"
        "ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6\n"
        "b24gUm9vdCBDQSAxMB4XDTE1MTAyMjAwMDAwMFoXDTI1MTAxOTAwMDAwMFowRjEL\n"
        "MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEVMBMGA1UECxMMU2VydmVyIENB\n"
        "IDFCMQ8wDQYDVQQDEwZBbWF6b24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
        "AoIBAQDCThZn3c68asg3Wuw6MLAd5tES6BIoSMzoKcG5blPVo+sDORrMd4f2AbnZ\n"
        "cMzPa43j4wNxhplty6aUKk4T1qe9BOwKFjwK6zmxxLVYo7bHViXsPlJ6qOMpFge5\n"
        "blDP+18x+B26A0piiQOuPkfyDyeR4xQghfj66Yo19V+emU3nazfvpFA+ROz6WoVm\n"
        "B5x+F2pV8xeKNR7u6azDdU5YVX1TawprmxRC1+WsAYmz6qP+z8ArDITC2FMVy2fw\n"
        "0IjKOtEXc/VfmtTFch5+AfGYMGMqqvJ6LcXiAhqG5TI+Dr0RtM88k+8XUBCeQ8IG\n"
        "KuANaL7TiItKZYxK1MMuTJtV9IblAgMBAAGjggE7MIIBNzASBgNVHRMBAf8ECDAG\n"
        "AQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUWaRmBlKge5WSPKOUByeW\n"
        "dFv5PdAwHwYDVR0jBBgwFoAUhBjMhTTsvAyUlC4IWZzHshBOCggwewYIKwYBBQUH\n"
        "AQEEbzBtMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5yb290Y2ExLmFtYXpvbnRy\n"
        "dXN0LmNvbTA6BggrBgEFBQcwAoYuaHR0cDovL2NydC5yb290Y2ExLmFtYXpvbnRy\n"
        "dXN0LmNvbS9yb290Y2ExLmNlcjA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3Js\n"
        "LnJvb3RjYTEuYW1hem9udHJ1c3QuY29tL3Jvb3RjYTEuY3JsMBMGA1UdIAQMMAow\n"
        "CAYGZ4EMAQIBMA0GCSqGSIb3DQEBCwUAA4IBAQCFkr41u3nPo4FCHOTjY3NTOVI1\n"
        "59Gt/a6ZiqyJEi+752+a1U5y6iAwYfmXss2lJwJFqMp2PphKg5625kXg8kP2CN5t\n"
        "6G7bMQcT8C8xDZNtYTd7WPD8UZiRKAJPBXa30/AbwuZe0GaFEQ8ugcYQgSn+IGBI\n"
        "8/LwhBNTZTUVEWuCUUBVV18YtbAiPq3yXqMB48Oz+ctBWuZSkbvkNodPLamkB2g1\n"
        "upRyzQ7qDn1X8nn8N8V7YJ6y68AtkHcNSRAnpTitxBKjtKPISLMVCx7i4hncxHZS\n"
        "yLyKQXhw2W2Xs0qLeC1etA+jTGDK4UfLeC0SF7FSi8o5LL21L8IzApar2pR/\n"
        "-----END CERTIFICATE-----\n"
};

And after this i try send a message to server:

    /* Set family and port for client socket. */
    xConnection.sin_family = FREERTOS_AF_INET;
    xConnection.sin_addr = FreeRTOS_gethostbyname("api.tago.io");
    xConnection.sin_port = FreeRTOS_htons( 80 );

    if(xConnection.sin_addr == 0){
        ret = 1;
        return ret;
    }
    xClientSocket = FreeRTOS_socket(FREERTOS_AF_INET, FREERTOS_SOCK_STREAM, FREERTOS_IPPROTO_TCP);
    configASSERT( xClientSocket != FREERTOS_INVALID_SOCKET );
    DEBUGOUT("FreeRTOS_connect \n");
    ret = FreeRTOS_connect( xClientSocket, &xConnection, sizeof( xConnection ) );

    if(ret == 0){
        DEBUGOUT("wolfSSL_new \n");
        /* The connect was successful.  Create a wolfSSL object to associate
                    with this connection. */
        xWolfSSL_Object = wolfSSL_new( xWolfSSL_ClientContext );

        if( xWolfSSL_Object != NULL ){
            DEBUGOUT("wolfSSL_set_fd \n");
            /* Associate the created wolfSSL object with the connected
                        socket. */
            ret = wolfSSL_set_fd( xWolfSSL_Object, xClientSocket );
            ret = wolfSSL_connect(xWolfSSL_Object);
            configASSERT( ret == SSL_SUCCESS );

            xTotalLengthToSend = strlen((char*)sendBuf);
            xAlreadyTransmitted = 0;

            DEBUGOUT("SENDING... \n");
            while( xAlreadyTransmitted < xTotalLengthToSend ){

                /* How many bytes are left to send? */
                xLenToSend = xTotalLengthToSend - xAlreadyTransmitted;

                /* The next line is the secure equivalent of the standard
                                            sockets call:
                                            lReturned = send( xClientSocket, cString, strlen( cString ) + 1, 0 ); */
                xBytesSent = wolfSSL_write( xWolfSSL_Object,
                        /* The data being sent. */
                        (char*) &(sendBuf[ xAlreadyTransmitted ]),
                        /* The remaining length of data to send. */
                        xLenToSend);

                DEBUGOUT("\nsend: %d\n",xBytesSent);
                if( xBytesSent >= 0 ){
                    /* Data was sent successfully. */
                    xAlreadyTransmitted += xBytesSent;
                }
                else{
                    /* Error – break out of the loop for graceful socket close. */
                    ret = 3;
                    break;
                }
            }

            DEBUGOUT("RECEIVING... \n");
            for( ;; ){
                /* Receive another block of data into the cRxedData buffer. */
                /*xReceLen = FreeRTOS_recv( xSocketSend, recBuf, sizeof(recBuf), 0 );*/
                xRecLen = wolfSSL_read(xWolfSSL_Object, recBuf, sizeof(recBuf));

                if( xRecLen > 0 )
                {
                    /* Data was received, process it here. */
                    for(i=0; i<xRecLen; i++){
                        receive[xSizeReceive+i] = recBuf[i];
                    }
                    DEBUGOUT("->: %d\n",xRecLen);
                    xSizeReceive += xRecLen;
                }
                else if( xRecLen == 0 )
                {
                    /* No data was received, but FreeRTOS_recv() did not return an error.
                                    Timeout? */
                    DEBUGOUT("Timeout\n");
                }
                else
                {
                    DEBUGOUT("Shutdown\n");
                    /* Error (maybe the connected socket already shut down the socket?).
                                    Attempt graceful shutdown. */
                    /*FreeRTOS_shutdown( xSocketSend, FREERTOS_SHUT_RDWR );*/
                    wolfSSL_shutdown(xWolfSSL_Object);
                    break;
                }
            }
            wolfSSL_free( xWolfSSL_Object );
        }
        DEBUGOUT("FreeRTOS_closesocket \n");
        FreeRTOS_closesocket( xClientSocket );
    }

I enabled the debug messages on WolfSSL and when i try send my message i receive a error of version SSL:

connect state: CLIENT_HELLO_SENT
SSL version error
84 84 3 3
->../WolfSSL/src/ssl.c-5214 - error:-326

where the values '84' are about ssl->curRL.pvMajor and rh->pvMinor, and the values '3' are about ssl->version.major and ssl->version.minor on GetRecordHeader function in internal.c file.

I'm sending my user_settings.h.
If anyone can help me.

Post's attachments

user_settings.h 2 kb, 1 downloads since 2020-01-03 

You don't have the permssions to download the attachments of this post.

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Hi @ulysses,

I noticed you are connecting on port 80 (unsecured http). Could you try switching to port 443 (secure https) and let me know if that resolves the issue?

    xConnection.sin_addr = FreeRTOS_gethostbyname("api.tago.io");
    xConnection.sin_port = FreeRTOS_htons( 80 ); // Change to port 443 and let us know if that helps!

Warmest Regards,

K

Kaleb J. Himes's Website

Share

  • From: Pocos de Caldas - MG - Brazil
  • Registered: 2019-12-30
  • Posts: 12

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Hi @Kaleb J. Himes,

Thanks for your reply.
This works, but now the wolfssl is returning the error code -155 ASN_SIG_CONFIRM_E, returning -1 when try send anything.

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

@Ulysses,

The -155 no signer error indicates you have the wrong certificate loaded in as the root CA for that server. I just decoded the PEM buffer you are loading and the beginning contents is:

  1 Certificate:
  2     Data:
  3         Version: 3 (0x2)
  4         Serial Number:
  5             06:7f:94:57:85:87:e8:ac:77:de:b2:53:32:5b:bc:99:8b:56:0d
  6         Signature Algorithm: sha256WithRSAEncryption
  7         Issuer: C = US, O = Amazon, CN = Amazon Root CA 1
  8         Validity
  9             Not Before: Oct 22 00:00:00 2015 GMT
 10             Not After : Oct 19 00:00:00 2025 GMT
 11         Subject: C = US, O = Amazon, OU = Server CA 1B, CN = Amazon

We can clearly see this is not a Root CA. This is an intermediate CA or a leaf cert because the subject and issuer lines do not match. You need the trusted root cert that signed the chain for this cert. Load the trusted root with wolfSSL_CTX_load_verify_locations and you should be all set!

Warm Regards,

K

Kaleb J. Himes's Website

Share

  • From: Pocos de Caldas - MG - Brazil
  • Registered: 2019-12-30
  • Posts: 12

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Hi,

How can i get this type of certificate?
I got another certificate, accessing the web browser and exporting the certificate to a file .cer.

-----BEGIN CERTIFICATE-----
MIIFZTCCBE2gAwIBAgIQBpMMhRTct5qxLIvM9lBD6TANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg
Q0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0xOTA1MTYwMDAwMDBaFw0yMDA2MTYx
MjAwMDBaMBQxEjAQBgNVBAMMCSoudGFnby5pbzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALIuoSbd3qk1Ou/2EbyX3mbLjRwmHU1Lius6FLpovOoPjE6y
/BFuNN6TZSVJvcgSPrAguSbXsaRjdKdaDZY5pgz43IcJ6TCBsFFs8nNuMSSeokcx
4plmNW07B9uTpQJexlaHHt6oD3HDvISoU8D/Uy7BbeVoC+WPJYjJ+5YWhyamfgr0
pLCDHE+QzNasg/9XU15jFQ8PtBkMtwjmVHmvgaBDpgW03x+yRdSn0c1uzb64sYSj
5HZN4pfHKXPd09qx2PHk/blIKSXEFwDsY5YPqvkmzff723VO7iXe0mxHHrCKaoAI
q/1ZIfLo22Pf/OLgHcp6czUlkroEIzVxvJ0mVn8CAwEAAaOCAn8wggJ7MB8GA1Ud
IwQYMBaAFFmkZgZSoHuVkjyjlAcnlnRb+T3QMB0GA1UdDgQWBBTOgMFbzVuiJ4Wg
+o6Q71GkJw/k6jAdBgNVHREEFjAUggkqLnRhZ28uaW+CB3RhZ28uaW8wDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA7BgNVHR8E
NDAyMDCgLqAshipodHRwOi8vY3JsLnNjYTFiLmFtYXpvbnRydXN0LmNvbS9zY2Ex
Yi5jcmwwIAYDVR0gBBkwFzALBglghkgBhv1sAQIwCAYGZ4EMAQIBMHUGCCsGAQUF
BwEBBGkwZzAtBggrBgEFBQcwAYYhaHR0cDovL29jc3Auc2NhMWIuYW1hem9udHJ1
c3QuY29tMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LnNjYTFiLmFtYXpvbnRydXN0
LmNvbS9zY2ExYi5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYE
gfMA8QB3AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABasDRztQA
AAQDAEgwRgIhANhAWrP/0e4e6wIl2615Dsd7V+9b/k0wHiwfxeKoxS3KAiEA98KJ
EG0mMyY1uNMPgg+970pBeqJq/r93BsjrJqCgCRgAdgCHdb/nWXz4jEOZX73zbv9W
jUdWNv9KtWDBtOr/XqCDDwAAAWrA0c/uAAAEAwBHMEUCIQDn/jawdzvQjlXNtV8Z
xaM21DQ5aP4oi1ZtPSUIh1JjkwIgSlQbKbn3CHw+c28KdzZqclnrJvZpwjwM7/qA
0YrWt5gwDQYJKoZIhvcNAQELBQADggEBAIAVBpFcBdPGHv+AICoRMTu1GBd1WaHR
pMOwRFErTkxP5jOqpVp8xVfxuefppradf9sisjGspdMGOi2eocjDustxvgXazSXl
S1EJKZPV3RlQ+I0noh16edpLTNZchUxg+0yMnYvzQwnJjZs8vMCrTOaNrKTQYEMY
tUwbu2wVqBeIjETQxQSgCWgA3zwsASs+YWWD+JQ4dEIIhNr0zgXD0G0OElld31T4
LG317CidTkAEJNDpdDc8QxFhD5ymthRzIT80rte3i8txvUB1fY6TaSXMZKAH3/4l
rq07fUHmlJ1JnMMz4q+OUJTc2VXkNKe0kk+/RXHyLYBZbRGGNqY+FRU=
-----END CERTIFICATE-----

This is the new certificate, but this return the code -188:

ASN_NO_SIGNER_E     = -188,  /* ASN no signer to confirm failure */

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

@Ulysses,

Often times it just takes a bit of research to track down the right one. Please try using this link to download the Root CA authority for the cert chain presented by the domain api.tago.io.

https://certs.secureserver.net/reposito … 2-root.crt

Let me know if loading the StarField Class 2 Root Certificate Trusted CA Root resolves the issue you are facing. I found the link in this article: https://aws.amazon.com/blogs/security/h … authority/

NOTE: The below screen shot from a browser may be what is causing the confusion, the browser is not showing the intermediate CA the server is also sending. If you sniff the connection in wireshark you'll see the whole chain which terminates in the cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a7:0e:4a:4c:34:82:b7:7f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
        Validity
            Not Before: Sep  2 00:00:00 2009 GMT
            Not After : Jun 28 17:39:16 2034 GMT
        Subject: C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2

Note this is an intermediate CA that is cross-signing Amazon Root CA 1 so you need both the intermediate and Amazon Root CA 1 to validate Amazon Root CA 1 and you need the Starfield Class 2 Root CA to validate the above intermediate CA to complete the chain of trust.


Warm Regards,

K

Post's attachments

Screen Shot 2020-01-06 at 12.57.16.png 7.71 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Kaleb J. Himes's Website

Share

  • From: Pocos de Caldas - MG - Brazil
  • Registered: 2019-12-30
  • Posts: 12

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Hi,

Now apparently work, but return the following error:

PARSE_ERROR             = -306,        /* parse error on header    */

Now i use the CA intermediate in this link like you said.
https://good.sca0a.amazontrust.com/

Share

  • From: Pocos de Caldas - MG - Brazil
  • Registered: 2019-12-30
  • Posts: 12

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Hi,

Anyone can help me?
Now i'm trying do an examplo working in a linux machine before try work on my board, but neither there i can't work.

Here it is my repo on github:
https://github.com/ulyssesfonseca/tcp-c … te-wolfssl

What am i doing wrong?

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Hi @ulysses,

Can you try this with the default wolfSSL example first? I was able to succesffully test this by running the wolfSSL example client from the wolfssl root directory with the below command. NOTE: ~/Downloads/sf-class2-root.crt is the cert I provided a link to the other day.

clean-wolfssl % ./examples/client/client -h api.tago.io -p 443 -A ~/Downloads/sf-class2-root.crt -g

RESULT:

kalebhimes@kalebs-MBP clean-wolfssl % ./examples/client/client -h api.tago.io -p 443 -A ~/Downloads/sf-class2-root.crt -g
peer's cert info:
 issuer : /C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
 subject: /CN=*.tago.io
 altname = tago.io
 altname = *.tago.io
 serial number:06:93:0c:85:14:dc:b7:9a:b1:2c:8b:cc:f6:50:43:e9 
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL curve name is SECP256R1
Session timeout set to 500 seconds
Client Random : 441D4F0391C74FB9A052D190CC8A5CB5019CAEEB3FDE69515BFE71D6F0F932B5
SSL connect ok, sending GET...
HTTP/1.1 404 Not Found
Date: Thu, 09 Jan 2020 19:21:18 GMT
Content-Type: application/json
Content-Length: 43
Connection: cl
ose
Allow: OPTIONS

{"status":false,"message":"Page Not Found"}

- K

Kaleb J. Himes's Website

Share

  • From: Pocos de Caldas - MG - Brazil
  • Registered: 2019-12-30
  • Posts: 12

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Hi @Kaleb,

Now work, i don't know why it didn't work before, but now when i downloaded again worked.
Thanks.

Now i will test on my board. I'll be back later to inform if work in my board.

For now thanks.

Share

11 Reply by ulysses (edited by ulysses 2020-01-09 13:52:32)

  • From: Pocos de Caldas - MG - Brazil
  • Registered: 2019-12-30
  • Posts: 12

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Hi @Kaleb,

On my board is returning the

ASN_NO_SIGNER_E     = -188,  /* ASN no signer to confirm failure */

I'm using the same file user_settings.h, and i create my test on board like my test on linux. In this scenario i'm using the FreeRTOS+TCP.

This is my code:

    WOLFSSL* ssl = NULL;
    BaseType_t ret;
    struct freertos_sockaddr xConnection;
    char buf_rec[512];
    const char message[] =
        "POST /data HTTP/1.1\r\n"
        "Host: api.tago.io\r\n"
        "content-type: application/json\r\n"
        "content-length: 34\r\n"
        "device-token: c7f71928-9510-4cda-9c69-29a0e35d44b9\r\n\r\n"
        "{\"variable\":\"board\",\"value\":\"375\"}";

    /* Set family and port for client socket. */
    xConnection.sin_family = FREERTOS_AF_INET;
    xConnection.sin_addr = FreeRTOS_inet_addr("23.22.53.220");//FreeRTOS_gethostbyname("23.22.53.220");//"api.tago.io");
    xConnection.sin_port = FreeRTOS_htons( 443 );

    xClientSocket = FreeRTOS_socket(FREERTOS_AF_INET, FREERTOS_SOCK_STREAM, FREERTOS_IPPROTO_TCP);
    configASSERT( xClientSocket != FREERTOS_INVALID_SOCKET );
    ret = FreeRTOS_connect( xClientSocket, &xConnection, sizeof( xConnection ) );

    if(ret) return -1;

    DEBUGOUT("wolfssl_init \n");
    /* initialize wolfssl library */
    wolfSSL_Init();

    DEBUGOUT("wolfSSL_CTX_new \n");
    wolfctx = wolfSSL_CTX_new( wolfTLSv1_2_client_method() );
    if(wolfctx == NULL) return -2;


    DEBUGOUT("wolfSSL_new \n");
    ssl = wolfSSL_new( wolfctx );
    if(ssl == NULL) return -3;

    DEBUGOUT("wolfSSL_CTX_load_verify_buffer \n");
    ret = wolfSSL_CTX_load_verify_buffer(wolfctx, tago_cert, sizeof(tago_cert), SSL_FILETYPE_PEM);
    if(ret != SSL_SUCCESS) return -4;

    DEBUGOUT("wolfSSL_SetIOSend \n");
    wolfSSL_SetIOSend(wolfctx, cbk_send);
    wolfSSL_SetIORecv(wolfctx, cbk_recv);

    ret = wolfSSL_set_fd( ssl, xClientSocket);

    DEBUGOUT("return connect:%d\n",wolfSSL_connect(ssl));
    DEBUGOUT("-->write: %d \n",wolfSSL_write(ssl, message, strlen(message)));
    DEBUGOUT("-->read: %d \n", wolfSSL_read(ssl, buf_rec, sizeof(buf_rec)));
    DEBUGOUT("received:'%s'\n",buf_rec);

    DEBUGOUT("wolfssl_free \n");
    wolfSSL_free(ssl);
    wolfSSL_CTX_free(wolfctx);
    wolfSSL_Cleanup();

    DEBUGOUT("FreeRTOS_closesocket \n");
    FreeRTOS_closesocket( xClientSocket );

    DEBUGOUT("EXIT \n");

Follow the file of log.

Post's attachments

tcp_teste.log 4.34 kb, 1 downloads since 2020-01-09 

You don't have the permssions to download the attachments of this post.

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

It appears your buffer may be improperly formatted:

Couldn't find PEM header
PemToDer  -372

Kaleb J. Himes's Website

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

This is happening on the call:

ret = wolfSSL_CTX_load_verify_buffer(wolfctx, tago_cert, sizeof(tago_cert), SSL_FILETYPE_PEM);

Make sure you include the PEM header in the buffer so it can parse properly when loaded.

Kaleb J. Himes's Website

Share

  • From: Pocos de Caldas - MG - Brazil
  • Registered: 2019-12-30
  • Posts: 12

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Hi @Kaleb,

Sorry, i don't know how do this. My cert is this, what i have do?
Another doubt, why this buffer don't have the same problem on linux?

const unsigned char tago_cert[] = {
    "-----BEGIN CERTIFICATE-----\n"
"MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl\n"
"MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp\n"
"U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw\n"
"NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE\n"
"ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp\n"
"ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3\n"
"DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf\n"
"8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN\n"
"+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0\n"
"X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa\n"
"K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA\n"
"1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G\n"
"A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR\n"
"zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0\n"
"YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD\n"
"bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w\n"
"DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3\n"
"L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D\n"
"eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl\n"
"xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp\n"
"VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY\n"
"WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=\n"
"-----END CERTIFICATE-----\n"
};

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Not sure why it works on linux and not on your device, try this format, let me know if this helps:

const unsigned char tago_cert[] = "-----BEGIN CERTIFICATE-----\
MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl\
MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp\
U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw\
NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE\
ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp\
ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3\
DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf\
8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN\
+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0\
X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa\
K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA\
1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G\
A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR\
zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0\
YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD\
bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w\
DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3\
L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D\
eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl\
xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp\
VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY\
WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=\
-----END CERTIFICATE-----";


// application code starts somewhere:

    const byte* caCert = tago_cert;
    int caSz = sizeof(tago_cert);

    if ((ret = wolfSSL_CTX_load_verify_buffer(wolfctx, caCert, caSz,
         SSL_FILETYPE_PEM)) != SSL_SUCCESS) { /* BUFFER */
        printf("loading the ca chain failed\n");
        printf("Error: (%d): %s\n", ret, wolfSSL_ERR_reason_error_string(ret));
        wolfSSL_CTX_free(wolfctx); wolfctx = NULL;
        return -1;
    }

Kaleb J. Himes's Website

Share

  • From: Pocos de Caldas - MG - Brazil
  • Registered: 2019-12-30
  • Posts: 12

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Hi @Kaleb,

I done like you said, but returned this error:

wolfSSL_Init
wolfSSL_CTX_new
WOLFSSL_CTX_new
wolfSSL_CertManagerNew
WOLFSSL_CTX_new 0
wolfSSL_new
SSL_new
SSL_new 0
wolfSSL_CTX_load_verify_buffer
wolfSSL_CTX_load_verify_buffer
Processing CA PEM file
PemToDer  -4
loading the ca chain failed
Error: (-4): no support for error strings built in
SSL_CTX_free
CTX ref count not 0 yet, no free
SSL_CTX_free 0

related to:

SSL_BAD_FILE        = -4

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

@Ulysses,

Well it looks like we got past the no pem header issue, that's progress.

The cert is using sha1 (which is typically default disabled in wolfSSL), can you check if the setting NO_SHA is defined in your settings and comment it out if it is present?

Regards,

K

Kaleb J. Himes's Website

Share

  • From: Pocos de Caldas - MG - Brazil
  • Registered: 2019-12-30
  • Posts: 12

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

@Kaleb,

Yes this defined was commented in my settings.

I'm sending my user_settings.

Post's attachments

user_settings.h 2 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Ulysses,

Can you enable DEBUG_WOLFSSL and send the log now with the changes we've made since your last log that showed there was an issue with the PEM header?

- K

Kaleb J. Himes's Website

Share

  • From: Pocos de Caldas - MG - Brazil
  • Registered: 2019-12-30
  • Posts: 12

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Hi @Kaleb,

I included on my log, the buffer about callbacks cbk_send and cbk_recv.

Post's attachments

tcp_teste.log 4.32 kb, 1 downloads since 2020-01-13 

You don't have the permssions to download the attachments of this post.

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Ulysses,

Disregard, last. I just wrote a test app to check it and updating the factory post SSL object creation is now supported (that did not used to work but now does).

Can you check what your heap and stack configuration are set to? Is it simply failing to load due to a memory issue? I'll try loading the PEM buffer myself a little later today and post my results.

- K

Kaleb J. Himes's Website

Share

  • From: Pocos de Caldas - MG - Brazil
  • Registered: 2019-12-30
  • Posts: 12

Re: WolfSSL and FreeRTOS+TCP LPC1788 MCUXpresso

Hi @Kaleb,

Made not difference.

I upload the code on bitbucket for you.
https://bitbucket.org/ulyssesfonseca/wo … eertos-tcp

Share