Topic: wolfSSL -188(ASN_NO_SIGNER_E) on SSL Client

Hi, I'm using the wolfSSL client example taken from ( … ient-tls.c) to connect to a wolfSSL server example taken from ( … rver-tls.c) for testing purpose of my C++ library. I'm using a self-signed cert using OpenSSL (openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365) for my wolfSSL server.

When I try to connect to my wolfSSL server, I'm getting `-188` on `wolfSSL_connect()`. I'm not sure how I can fix this, since it's a self-signed cert I don't think I have a CA signer to verify the certificate(do I?) and also I wanna allow wolfSSL client to connect to insecure SSL endpoints(like servers with self-signed certs), so can I use any "snake oil" certs for my client to use? or am I mistaken something? (if so, can you please correct me?)



Re: wolfSSL -188(ASN_NO_SIGNER_E) on SSL Client

Hi sapi01

Need to clarify a couple points from your post:

> When I try to connect to my wolfSSL server, I'm getting `-188` on `wolfSSL_connect()`

Is this error in the client? Both peers will need the self-signed cert. You are basically doing a shared secret when doing mutual authentication and using self-signed certs.

Alternatively you could write a verify callback to override the cert failures for particular servers. … back.c#L55

Eric @ wolfSSL Support

3 (edited by sapi01 2021-04-20 09:14:32)

Re: wolfSSL -188(ASN_NO_SIGNER_E) on SSL Client

Hi embhorn,

Yeah, it is the wolfSSL Client that is giving me this error when I try to connect to a wolfSSL server(which uses a self-signed cert). I don't want to very the server cert on my client implementation, but just accept whatever cert it gives me(if it's self-signed or signed by some popular CA, my client code just want to accept whatever it gave)

For your reference, here is my client code Since mine is a C++ codebase, I'm using few C++ specific constructs there, but the core thing I'm trying to do is same as the `wolfssl-examples/tls/client-tls.c`


Re: wolfSSL -188(ASN_NO_SIGNER_E) on SSL Client

You can use the verify callback to over ride the cert signing errors. The example I shared earlier will accomplish what you are trying to do.