• Registered: 2024-04-24
  • Posts: 4

Topic: TLS handshake fails with error 48 unknown_ca

I'm trying out the following wolfssl based demo:
https://github.com/FreeRTOS/FreeRTOS/tr … th_wolfSSL

But the TLS handshake is not succeeding when Im connecting to the AWS IoT core. I have verified that the ciphers used by wolfssl and AWS IoT are compatible. Please find below the logs:

[INFO] [SocketsWrapper] [TCP_Sockets_Connect:189] Established TCP connection with a2jtk2rms8uea8-ats.iot.us-east-1.amazonaws.com.
wolfSSL Entering wolfSSLv23_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
heap param is null
DYNAMIC_TYPE_CERT_MANAGER Allocating = 100 bytes
wolfSSL Leaving wolfSSL_CTX_new_ex, return 0
wolfSSL_CTX_load_verify_locations_ex
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering wolfSSL_CTX_use_certificate_file
Getting dynamic buffer
wolfSSL Entering PemToDer
Checking cert signature type
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
Not ECDSA cert signature
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering PemToDer
wolfSSL Entering wolfSSL_new
wolfSSL Entering ReinitSSL
RNG_HEALTH_TEST_CHECK_SIZE = 128
sizeof(seedB_data)         = 128
wolfSSL Entering SetSSL_CTX
wolfSSL Entering wolfSSL_NewSession
InitSSL done. return 0 (success)
wolfSSL_new InitSSL success
wolfSSL Leaving wolfSSL_new InitSSL =, return 0
TLS 1.2 or lower
wolfSSL Entering wolfSSL_connect
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
wolfSSL Entering SendTls13ClientHello
Adding signature algorithms extension
Adding supported versions extension
wolfSSL Entering EccMakeKey
wolfSSL Leaving EccMakeKey, return 0
growing output buffer
Key Share extension to write
Supported Versions extension to write
Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
Encrypt-Then-Mac extension to write
EMS extension to write
Shrinking output buffer
wolfSSL Leaving SendTls13ClientHello, return 0
connect state: CLIENT_HELLO_SENT
Server state up to needed state.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering wolfSSL_get_options
wolfSSL Entering DoTls13HandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoTls13HandShakeMsgType
processing server hello
wolfSSL Entering DoTls13ServerHello
Point Formats extension received
Extended Master Secret extension received
wolfSSL Entering wolfSSL_get_options
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoTls13ServerHello, return 0
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg, return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering DoCertificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
        Put another cert into chain
        Put another cert into chain
        Put another cert into chain
        Put another cert into chain
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
No CA signer to verify with
Failed to verify CA from chain
wolfSSL error occurred, error = -188
wolfSSL Entering SendAlert
wolfSSL Entering SendAlert
SendAlert: 48 unknown_ca
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendAlert, return 0
wolfSSL Leaving ProcessPeerCerts, return -188
wolfSSL Leaving DoCertificate, return -188
wolfSSL Leaving DoHandShakeMsgType(), return -188
wolfSSL Leaving DoHandShakeMsg(), return -188
wolfSSL error occurred, error = -188
wolfSSL error occurred, error = -188
wolfSSL Entering wolfSSL_shutdown
wolfSSL Leaving wolfSSL_shutdown, return -1
wolfSSL Entering wolfSSL_free
Free SSL: 00596A14
Free'ing client ssl
Shrinking input buffer
Key Share extension free
Supported Versions extension free
Signature Algorithms extension to free
Point Formats extension free
Supported Groups extension free
Encrypt-Then-Mac extension free
wolfSSL Entering ClientSessionToSession
wolfSSL Entering wolfSSL_FreeSession
wolfSSL_FreeSession full free
CTX ref count not 0 yet, no free
wolfSSL Leaving wolfSSL_free, return 0
wolfSSL Entering wolfSSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving wolfSSL_CTX_free, return 0
8 7722 [MQTTDemo] [ERROR] [TlsTransport] [tlsSetup:338] Failed to establish a TLS connection
vAssertCalled( C:\Users\tonyjosi\Documents\Projects\FreeRTOS\FreeRTOS-Plus\Demo\coreMQTT_Windows_Simulator\MQTT_Mutual_Auth_wolfSSL\DemoTasks\MutualAuthMQTTExample.c, 526 )

This is the wolfssl config/settings used: https://github.com/FreeRTOS/FreeRTOS/bl … settings.h

The same ROOT CA, certificate and private key works when I use the mbedTLS to connect to the AWS IoT, so the credentials seems to be fine.

I'm suspecting the following log lines:

Certificate Policy extension not supported yet.
No CA signer to verify with
Failed to verify CA from chain
wolfSSL error occurred, error = -188
wolfSSL Entering SendAlert
wolfSSL Entering SendAlert
SendAlert: 48 unknown_ca

But I'm not sure about the reason for the error.

This is the Root CA used: RSA 2048 bit key listed here: https://docs.aws.amazon.com/iot/latest/ … tion-certs

Share

  • Registered: 2021-08-12
  • Posts: 74

Re: TLS handshake fails with error 48 unknown_ca

Hi tonyjosi,
My name is Anthony and I am a member of the wolfSSL team.  Let me see if I can look into this for you. I will start by trying to reproduce this.
Warm regards, Anthony

Share

  • Registered: 2021-08-12
  • Posts: 74

Re: TLS handshake fails with error 48 unknown_ca

Hi tonyjosi,

Note that reproducing and diagnosing this could take a bit of time. In the meantime, we quite often find that defining `WOLFSSL_ALT_CERT_CHAINS` often fixes this problem.  Can you please trying adding it your defines in your `user_settings.h` and then rebuilding everything?

Please let me know how it goes.

Warm regards, Anthony

Share

  • Registered: 2024-04-24
  • Posts: 4

Re: TLS handshake fails with error 48 unknown_ca

Hi Anthony,

Thanks for the reply.

I defined `WOLFSSL_ALT_CERT_CHAINS` in `user_settings.h` and tested again. The demo still fails during the TLS handshake, but this time got a different log:

DNS[0x8A08]: The answer to 'a2jtk2rms8uea8-ats.iot.us-east-1.amazonaws.com' (54.156.121.159) will be stored
FreeRTOS_connect: 64320 to 54.156.121.159:8883
[INFO] [SocketsWrapper] [TCP_Sockets_Connect:189] Established TCP connection with a2jtk2rms8uea8-ats.iot.us-east-1.amazonaws.com.
wolfSSL Entering wolfSSLv23_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
heap param is null
DYNAMIC_TYPE_CERT_MANAGER Allocating = 100 bytes
wolfSSL Leaving wolfSSL_CTX_new_ex, return 0
wolfSSL_CTX_load_verify_locations_ex
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering wolfSSL_CTX_use_certificate_file
Getting dynamic buffer
wolfSSL Entering PemToDer
Checking cert signature type
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
Not ECDSA cert signature
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering PemToDer
wolfSSL Entering wolfSSL_new
wolfSSL Entering ReinitSSL
RNG_HEALTH_TEST_CHECK_SIZE = 128
sizeof(seedB_data)         = 128
wolfSSL Entering SetSSL_CTX
wolfSSL Entering wolfSSL_NewSession
InitSSL done. return 0 (success)
wolfSSL_new InitSSL success
wolfSSL Leaving wolfSSL_new InitSSL =, return 0
TLS 1.2 or lower
wolfSSL Entering wolfSSL_connect
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
wolfSSL Entering SendTls13ClientHello
Adding signature algorithms extension
Adding supported versions extension
wolfSSL Entering EccMakeKey
wolfSSL Leaving EccMakeKey, return 0
growing output buffer
Key Share extension to write
Supported Versions extension to write
Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
Encrypt-Then-Mac extension to write
EMS extension to write
Shrinking output buffer
wolfSSL Leaving SendTls13ClientHello, return 0
connect state: CLIENT_HELLO_SENT
Server state up to needed state.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering wolfSSL_get_options
wolfSSL Entering DoTls13HandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoTls13HandShakeMsgType
processing server hello
wolfSSL Entering DoTls13ServerHello
Point Formats extension received
Extended Master Secret extension received
wolfSSL Entering wolfSSL_get_options
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoTls13ServerHello, return 0
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg, return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering DoCertificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
        Put another cert into chain
        Put another cert into chain
        Put another cert into chain
        Put another cert into chain
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
No CA signer to verify with
Failed to verify CA from chain
Trying alternate cert chain
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
No CA signer to verify with
Failed to verify CA from chain
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
CA found
wolfSSL Entering ConfirmSignature
mp_to_unsigned_bin_len_ct...
wolfSSL Leaving ConfirmSignature, return 0
Adding CA from chain
Modifying SSL_CTX CM not SSL specific CM
Adding a CA
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeCrlDist
Certificate Policy extension not supported yet.
CA found
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
Verifying Peer's cert
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering DecodeAltNames
Certificate Policy extension not supported yet.
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering DecodeCrlDist
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering DecodeBasicCaConstraint
CA found
wolfSSL Entering ConfirmSignature
mp_to_unsigned_bin_len_ct...
wolfSSL Leaving ConfirmSignature, return 0
Verified Peer's cert
wolfSSL Leaving ProcessPeerCerts, return 0
wolfSSL Leaving DoCertificate, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing server key exchange
wolfSSL Entering DoServerKeyExchange
wolfSSL Entering RsaVerify
mp_to_unsigned_bin_len_ct...
wolfSSL Leaving RsaVerify, return 51
wolfSSL Leaving DoServerKeyExchange, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing certificate request
wolfSSL Entering DoCertificateRequest
wolfSSL Leaving DoCertificateRequest, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
wolfSSL Entering DoHandShakeMsgType
processing server hello done
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
ProcessReply done.
connect state: HELLO_AGAIN
connect state: HELLO_AGAIN_REPLY
connect state: FIRST_REPLY_DONE
wolfSSL Entering SendCertificate
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendCertificate, return 0
sent: certificate
connect state: FIRST_REPLY_FIRST
wolfSSL Entering SendClientKeyExchange
wolfSSL Entering EccMakeKey
wolfSSL Leaving EccMakeKey, return 0
wolfSSL Entering EccSharedSecret
wolfSSL Leaving EccSharedSecret, return 0
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendClientKeyExchange, return 0
sent: client key exchange
connect state: FIRST_REPLY_SECOND
wolfSSL Entering SendCertificateVerify
Trying RSA private key
Using RSA private key
wolfSSL Entering RsaSign
mp_to_unsigned_bin_len_ct...
wolfSSL Leaving RsaSign, return 0
wolfSSL Entering VerifyRsaSign
mp_to_unsigned_bin_len_ct...
wolfSSL Leaving VerifyRsaSign, return 0
wolfSSL Entering SendHandshakeMsg
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendCertificateVerify, return 0
sent: certificate verify
connect state: FIRST_REPLY_THIRD
growing output buffer
wolfSSL error occurred, error = -308
wolfSSL Entering wolfSSL_shutdown
wolfSSL Leaving wolfSSL_shutdown, return -1
wolfSSL Entering wolfSSL_free
Free SSL: 00826A14
Free'ing client ssl
Shrinking output buffer
Key Share extension free
Supported Versions extension free
Signature Algorithms extension to free
Point Formats extension free
Supported Groups extension free
Encrypt-Then-Mac extension free
wolfSSL Entering ClientSessionToSession
wolfSSL Entering wolfSSL_FreeSession
wolfSSL_FreeSession full free
CTX ref count not 0 yet, no free
wolfSSL Leaving wolfSSL_free, return 0
wolfSSL Entering wolfSSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving wolfSSL_CTX_free, return 0
8 7665 [MQTTDemo] [ERROR] [TlsTransport] [tlsSetup:338] Failed to establish a TLS connection
vAssertCalled( C:\Users\tonyjosi\Documents\Projects\FreeRTOS\FreeRTOS-Plus\Demo\coreMQTT_Windows_Simulator\MQTT_Mutual_Auth_wolfSSL\DemoTasks\MutualAuthMQTTExample.c, 526 )

The newly suspected log lines are:

sent: certificate verify
connect state: FIRST_REPLY_THIRD
growing output buffer
wolfSSL error occurred, error = -308
wolfSSL Entering wolfSSL_shutdown
wolfSSL Leaving wolfSSL_shutdown, return -1
wolfSSL Entering wolfSSL_free

Thanks & regards,
Tony

Share

  • Registered: 2021-08-12
  • Posts: 74

Re: TLS handshake fails with error 48 unknown_ca

Hi Tony,

I've modified your user_settings.h.  See the end of this message.  Then on my linux machine built with the following command: 

./configure --enable-usersettings

I then downloaded your root certificate and executed the example client like this: 

./examples/client/client -A root.pem  -h a2jtk2rms8uea8-ats.iot.us-east-1.amazonaws.com -p 8883

And I got a successful TLS 1.3 connection. 

This tells me there might be some incompatibility with the way freeRTOS is being used or the way wolfMQTT is calling into wolfSSL. The most likely problem is a memory issue.  How much memory are you giving to this process?   Perhaps try increasing it?

Warm regards, Anthony

=============================================
#ifndef USER_SETTINGS_H
#define USER_SETTINGS_H

#define WOLFSSL_IGNORE_FILE_WARN

/*-- Cipher related definitions  -----------------------------------------------
*
*
*----------------------------------------------------------------------------*/
#define WOLFSSL_ALT_CERT_CHAINS



#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS

#define HAVE_SUPPORTED_CURVES
#define HAVE_FFDHE_2048

#ifndef WOLFSSL_OPTIONS_IGNORE_SYS
    #undef  _POSIX_THREADS
    #define _POSIX_THREADS
#endif

#define HAVE_THREAD_LS
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING

#define HAVE_AESGCM
#define HAVE_AESCCM
#define HAVE_AES_ECB
#define WOLFSSL_AES_COUNTER
#define WOLFSSL_AES_DIRECT

#define WOLFSSL_SHA512
#define WOLFSSL_SHA384
#define HAVE_HKDF

#define HAVE_ECC
#define TFM_ECC256
#define ECC_SHAMIR
#define WC_RSA_PSS
#define WOLFSSL_BASE64_ENCODE

#define WOLFSSL_KEY_GEN


#define HAVE_ECC_CDH
#define WC_RSA_NO_PADDING
#define WOLFSSL_VALIDATE_FFC_IMPORT
#define WOLFSSL_VALIDATE_ECC_IMPORT
#define HAVE_FFDHE_Q
#define WOLFSSL_NO_SHAKE256

#define WOLFSSL_CMAC
#define WOLFSSL_SHA224
#define WOLFSSL_SHA3
#define WOLFSSL_SHAKE256
#define HAVE_HASHDRBG

#define HAVE_SUPPORTED_CURVES
#define HAVE_EXTENDED_MASTER
#define HAVE_ENCRYPT_THEN_MAC
#define USE_FAST_MATH
#define WOLFSSL_X86_64_BUILD
#define WC_NO_ASYNC_THREADING
#define HAVE_DH_DEFAULT_PARAMS
#define HAVE___UINT128_T    1

#define NO_DSA
#define NO_HC128
#define NO_RABBIT
#define NO_RC4
#define NO_PSK
#define NO_MD4
#define NO_PWDBASED

/*-- Debugging options  ------------------------------------------------------
*
* "DEBUG_WOLFSSL" definition enables log to output into stdout.
* Note: wolfSSL_Debugging_ON() must be called just after wolfSSL_Init().
*----------------------------------------------------------------------------*/

#define DEBUG_WOLFSSL



#endif /* USER_SETTINGS_H */
========================================

Share

  • Registered: 2021-08-12
  • Posts: 74

Re: TLS handshake fails with error 48 unknown_ca

Correction: TLS 1.2 connection.  Not TLS 1.3 connection.

Share

  • Registered: 2024-04-24
  • Posts: 4

Re: TLS handshake fails with error 48 unknown_ca

Hi Anthony,

Thanks a lot for suggesting the config flag and verifying the demo on your side.

Adding `WOLFSSL_ALT_CERT_CHAINS` fixes the issue, the reason it was not working immediately was because there is a bug with handling error codes in the socket wrapper layer created for wolfssl to FreeRTOS+TCP stack. I will create pull request to fix the bug in the demo.

Thanks,
Tony

Share

  • Registered: 2021-08-12
  • Posts: 74

Re: TLS handshake fails with error 48 unknown_ca

Hi Tony,
Excellent.  Instead of putting up a pull request, can you put up a bug report.  We have a preference for bug reports as accepting pull requests would require you submit a contributor agreement.
Warm regards, Anthony

Share

  • Registered: 2024-04-24
  • Posts: 4

Re: TLS handshake fails with error 48 unknown_ca

Hi Anthony,

The pull request I meant is to the FreeRTOS repo, which contains a socket wrapper interface from wolfSSL to FreeRTOS+TCP. I have created the PR and merged it. Please refer: https://github.com/FreeRTOS/FreeRTOS/pull/1217

Thanks,
Tony

Share