1 Topic by rocotocloc (edited by rocotocloc 2025-06-18 04:05:51)

  • Registered: 2025-06-13
  • Posts: 8

Topic: Simple SSL connection providing root certs

Hello,

I am following Espressif example projects from GitHub to just open an https:443 connection to any website but I am always getting error -188 "ASN sig error, no CA signer to verify certificate". I am missing something but I don't know what.

I am using this example especifically but also checked some others and all of them look very similar: https://github.com/wolfSSL/wolfssl/tree … ssl_client

As you can see I am trying to connect to google.com and I am providing a bundle of root certificates taken from Mozilla site: https://curl.se/ca/cacert.pem. That's the file you can see in the code below as "mozilla_root_certs_pem"

I've tried to connect to different sites and also providing not that certificate bundle with all root certs but the specific root cert of the site I am connecting to. Always getting the same -188 error.

This is my code:

// file included in CMakeLists.txt
extern const unsigned char mozilla_root_certs_pem_start[] asm("_binary_mozillarootcerts_pem_start");
extern const unsigned char mozilla_root_certs_pem_end[] asm("_binary_mozillarootcerts_pem_end");

WOLFSSL_ESP_TASK tls_smp_client_task_2(void *args)
{
#define TLS_SMP_TARGET_HOST "www.google.com"
#define TLS_SMP_DEFAULT_PORT 443

#if defined(SINGLE_THREADED)
    int ret = ESP_OK;
#define TLS_SMP_CLIENT_TASK_RET ret
#else
#define TLS_SMP_CLIENT_TASK_RET
#endif
    char buff[256];
    const char sndMsg[] = "GET / HTTP/1.1\r\nAccept: */*\r\n";
    const char *ch = TLS_SMP_TARGET_HOST; /* see wifi_connect.h */
    struct sockaddr_in servAddr;

    struct hostent *hp;
    struct ip4_addr *ip4_addr;
    int ret_i; /* interim return values */
    int err;   /* interim return values */
    int sockfd;
    int doPeerCheck;
    int sendGet;
#ifdef DEBUG_WOLFSSL
    int this_heap = 0;
#endif
#ifndef NO_DH
    int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS;
#endif

    /* declare wolfSSL objects */
    WOLFSSL_CTX *ctx;
    WOLFSSL *ssl;

    size_t len;

    WOLFSSL_ENTER(TLS_SMP_CLIENT_TASK_NAME);

    doPeerCheck = 1;
    sendGet = 1;

#ifdef DEBUG_WOLFSSL
    WOLFSSL_MSG("Debug ON");
    ShowCiphers(NULL);
#endif
    /* Initialize wolfSSL */
    wolfSSL_Init();

    /* Create a socket that uses an Internet IPv4 address,
     * Sets the socket to be stream based (TCP),
     * 0 means choose the default protocol. */
    if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
    {
        ESP_LOGE(TAG, "ERROR: failed to create the socket\n");
    }

    ESP_LOGI(TAG, "get target IP address");

    hp = gethostbyname(TLS_SMP_TARGET_HOST);
    if (!hp)
    {
        ESP_LOGE(TAG, "Failed to get host name.");
        ip4_addr = NULL;
    }
    else
    {
        ip4_addr = (struct ip4_addr *)hp->h_addr;
        ESP_LOGI(TAG, "Host name: %s", hp->h_name);
    }

    /* Create and initialize WOLFSSL_CTX */
    ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); /* SSL 3.0 - TLS 1.3. */
    /*   options:   */
    /* ctx = wolfSSL_CTX_new(wolfSSLv1_2_client_method());      only TLS 1.2 */
    /* ctx = wolfSSL_CTX_new(wolfSSLv1_3_client_method());      only TLS 1.3 */
    /* wolfSSL_CTX_NoTicketTLSv12(); */
    /* wolfSSL_NoTicketTLSv12();     */
    if (ctx == NULL)
    {
        ESP_LOGE(TAG, "ERROR: failed to create WOLFSSL_CTX\n");
    }

    // load certs
    ret_i = wolfSSL_CTX_load_verify_buffer(ctx,
                                           mozilla_root_certs_pem_start,
                                           mozilla_root_certs_pem_end - mozilla_root_certs_pem_start,
                                           WOLFSSL_FILETYPE_PEM);

    if (ret_i != WOLFSSL_SUCCESS)
    {
        ESP_LOGE(TAG, "ERROR: failed to load CA cert %d, "
                      "please check the file.\n",
                 ret_i);
    }
    {
        ESP_LOGI(TAG, "CA cert loaded successfully");
    }

    /* Initialize the server address struct with zeros */
    memset(&servAddr, 0, sizeof(servAddr));

    /* Fill in the server address */
    servAddr.sin_family = AF_INET;                   /* using IPv4      */
    servAddr.sin_port = htons(TLS_SMP_DEFAULT_PORT); /* on DEFAULT_PORT */

    if (*ch >= '1' && *ch <= '9')
    {
        /* Get the server IPv4 address from the command line call */
        WOLFSSL_MSG("inet_pton");
        if ((ret_i = inet_pton(AF_INET,
                               TLS_SMP_TARGET_HOST,
                               &servAddr.sin_addr)) != 1)
        {
            ESP_LOGE(TAG, "ERROR: invalid address ret=%d\n", ret_i);
        }
        ESP_LOGI(TAG, "Using IP address: %s", TLS_SMP_TARGET_HOST);
    }
    else
    {
        servAddr.sin_addr.s_addr = ip4_addr->addr;
        ESP_LOGI(TAG, "Using host name: %s", TLS_SMP_TARGET_HOST);
    }

    /* Connect to the server */
    sprintf(buff,
            "Connecting to server....%s (port:%d)",
            TLS_SMP_TARGET_HOST,
            TLS_SMP_DEFAULT_PORT);
    ESP_LOGI(TAG, "%s\n", buff);

    if ((ret_i = connect(sockfd,
                         (struct sockaddr *)&servAddr,
                         sizeof(servAddr))) == -1)
    {
        ESP_LOGE(TAG, "ERROR: failed to connect ret=%d\n", ret_i);
    }

    WOLFSSL_MSG("Create a WOLFSSL object");
    /* Create a WOLFSSL object */
    if ((ssl = wolfSSL_new(ctx)) == NULL)
    {
        ESP_LOGE(TAG, "ERROR: failed to create WOLFSSL object\n");
    }
    else
    {
        ESP_LOGI(TAG, "WOLFSSL object created successfully");
    }

    /* Attach wolfSSL to the socket */
    ret_i = wolfSSL_set_fd(ssl, sockfd);
    if (ret_i == WOLFSSL_SUCCESS)
    {
        ESP_LOGI(TAG, "wolfSSL_set_fd success");
    }
    else
    {
        ESP_LOGE(TAG, "ERROR: failed wolfSSL_set_fd. Error: %d\n", ret_i);
    }

    ESP_LOGI(TAG, "Connect to wolfSSL server...");
    ret_i = wolfSSL_connect(ssl);

    if (ret_i == WOLFSSL_SUCCESS)
    {

        ESP_LOGI(TAG, "Connect success! Sending message...");
        /* Get a message for the server from stdin */
        WOLFSSL_MSG("Message for server: ");
        memset(buff, 0, sizeof(buff));

        len = XSTRLEN(sndMsg);
        strncpy(buff, sndMsg, len);
        buff[len] = '\0';
        ESP_LOGI(TAG, "SSL connect ok, sending message:\n\n%s\n", buff);

        /* Send the message to the server */
        do
        {
            err = 0; /* reset error */
            ret_i = wolfSSL_write(ssl, buff, len);
            if (ret_i <= 0)
            {
                err = wolfSSL_get_error(ssl, 0);
            }
        } while (err == WOLFSSL_ERROR_WANT_WRITE ||
                 err == WOLFSSL_ERROR_WANT_READ);

        if (ret_i != len)
        {
            ESP_LOGE(TAG, "ERROR: failed to write\n");
        }
        else
        {
            ESP_LOGI(TAG, "Message sent! Awaiting response...");
        }

        /* Read the server data into our buff array */
        memset(buff, 0, sizeof(buff));

        do
        {
            err = 0; /* reset error */
            ret_i = wolfSSL_read(ssl, buff, sizeof(buff));
            if (ret_i <= 0)
            {
                err = wolfSSL_get_error(ssl, 0);
            }
        } while ((err == WOLFSSL_ERROR_WANT_READ) ||
                 (err == WOLFSSL_ERROR_WANT_WRITE));

        if (ret_i < 0)
        {
            ESP_LOGE(TAG, "ERROR: failed to read\n");
        }

        /* Show any data the server sends */
        ESP_LOGI(TAG, "Server response: \n\n%s\n", buff);

        ret_i = wolfSSL_shutdown(ssl);
        while (ret_i == WOLFSSL_SHUTDOWN_NOT_DONE)
        {
            ret_i = wolfSSL_shutdown(ssl); /* bidirectional shutdown */
            if (ret_i == WOLFSSL_SUCCESS)
            {
                ESP_LOGI(TAG, "Bidirectional shutdown complete\n");
                break;
            }
            else if (ret_i != WOLFSSL_SHUTDOWN_NOT_DONE)
            {
                ESP_LOGE(TAG, "Bidirectional shutdown failed\n");
                break;
            }
        }
        if (ret_i != WOLFSSL_SUCCESS)
        {
            ESP_LOGE(TAG, "Bidirectional shutdown failed\n");
        }

    } /* wolfSSL_connect(ssl) == WOLFSSL_SUCCESS) */
    else
    {
        ESP_LOGE(TAG, "ERROR: failed to connect to wolfSSL. "
                      "Error: %d\n",
                 ret_i);
        int err = wolfSSL_get_error(ssl, 0);
        ESP_LOGE(TAG, "wolfSSL_get_error: %d\n",
                 err);
    }

    ESP_LOGI(TAG, "Cleanup and exit");
    wolfSSL_free(ssl);     /* Release the wolfSSL object memory        */
    wolfSSL_CTX_free(ctx); /* Free the wolfSSL context object          */
    wolfSSL_Cleanup();     /* Cleanup the wolfSSL environment          */
    close(sockfd);         /* Close the connection to the server       */

    vTaskDelete(NULL);

    return TLS_SMP_CLIENT_TASK_RET;
}

And this is the output:

I (3887) wifi:dp: 1, bi: 102400, li: 3, scale listen interval from 307200 us to 307200 us
I (3905) wifi:<ba-add>idx:0 (ifx:0, 12:a7:b9:4e:84:5e), tid:4, ssn:0, winSize:64
I (3922) wifi:AP's beacon interval = 102400 us, DTIM period = 1
I (4915) esp_netif_handlers: example_netif_sta ip: 172.28.5.245, mask: 255.255.255.0, gw: 172.28.5.1
I (4916) example_connect: Got IPv4 event: Interface "example_netif_sta" address: 172.28.5.245
I (5112) example_connect: Got IPv6 event: Interface "example_netif_sta" address: fe80:0000:0000:0000:96e6:86ff:fe92:d4e4, type: ESP_IP6_ADDR_IS_LINK_LOCAL
I (5115) example_common: Connected to example_netif_sta
I (5120) example_common: - IPv4 address: 172.28.5.245,
I (5125) example_common: - IPv6 address: fe80:0000:0000:0000:96e6:86ff:fe92:d4e4, type: ESP_IP6_ADDR_IS_LINK_LOCAL
I (5636) time_helper: The current date/time is: Fri Jun  6 15:43:24 2025
I (6636) time_helper: Waiting for NTP to sync time... (1/10)
I (6637) time_helper: The current date/time is: Fri Jun  6 15:43:25 2025
I (7637) time_helper: Waiting for NTP to sync time... (2/10)
I (7638) time_helper: The current date/time is: Fri Jun  6 15:43:26 2025
I (8536) wifi:<ba-add>idx:1 (ifx:0, 12:a7:b9:4e:84:5e), tid:0, ssn:0, winSize:64
I (8589) time_helper: Waiting for NTP to sync time... (3/10)
I (8590) time_helper: The current date/time is: Wed Jun 18 03:52:51 2025
I (8591) time_helper: Successfully set time via NTP servers.
I (8596) main: Initial Stack Used (before wolfSSL Server): 2240 bytes
I (8602) main: Starting TLS Client task ...

I (8606) main: main tls_smp_client_init heap @ 0x3ffbac24 = 236616
I (8612) client-tls: get target IP address
I (8637) client-tls: Host name: google.com
I (9031) client-tls: CA cert loaded successfully
I (9032) client-tls: Using host name: google.com
I (9032) client-tls: Connecting to server....www.google.com (port:443)

I (9063) client-tls: WOLFSSL object created successfully
I (9064) client-tls: wolfSSL_set_fd success
I (9064) client-tls: Connect to wolfSSL server...
E (9557) client-tls: ERROR: failed to connect to wolfSSL. Error: -1

E (9558) client-tls: wolfSSL_get_error: -188

I (9558) client-tls: Cleanup and exit


If I remove the peer verification by adding the next line before the connection:

wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, 0);

Then at least connects, just confirming it's a problem with cert verification:


I (7610) client-tls: Using host name: google.com
I (7610) client-tls: Connecting to server....www.google.com (port:443)

I (7641) client-tls: WOLFSSL object created successfully

I (7641) client-tls: WOLFSSL object created successfully
I (7641) client-tls: WOLFSSL object created successfully
I (7642) client-tls: wolfSSL_set_fd success
I (7642) client-tls: wolfSSL_set_fd success
I (7642) client-tls: Connect to wolfSSL server...
I (8236) client-tls: Connect success! Sending message...
I (8237) client-tls: SSL connect ok, sending message:

GET / HTTP/1.1
Accept: */*


I (8240) client-tls: Message sent! Awaiting response...

What am I missing here? How to load root certs to properly validate the chain received from websites?

Thank you.

Share

  • Registered: 2025-06-13
  • Posts: 8

Re: Simple SSL connection providing root certs

Hi,

Ok let me share some more data after further tests.

With code above, I finally found some websites that work, for example this one "ww w.as.com" (notice the blank space to avoid link limit)

Related to Google website I could see it was related to SNI so I added:

#define HAVE_SNI

And this after creating the context:

#ifdef HAVE_SNI
    ret_i = wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, TLS_SMP_TARGET_HOST,
                               strlen(TLS_SMP_TARGET_HOST));
    if (ret_i != WOLFSSL_SUCCESS)
    {
        ESP_LOGE(TAG, "ERROR: failed to set SNI for %s, ret=%d\n",
                 TLS_SMP_TARGET_HOST, ret_i);
    }
    else
    {
        ESP_LOGI(TAG, "SNI set for %s", TLS_SMP_TARGET_HOST);
    }
#endif

But now I am getting error -155 instead of -188.

When I test with openssl:

openssl s_client -showcerts -connect www.google.com:443

I can see this is the last cert in the chain:

2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----

And "GTS Root R1" is already included in the cert bundle file from Mozilla, so I don't know why's failing.


Also I was checking my website: "www.lavnetremote.com" with every combination and it's always failing with -155. I don't know why in this case because the last cert sent has as root "ISRG Root X1" which is the same of the website I indicated at the beginning it was working (as.com):


1 s:C = US, O = Let's Encrypt, CN = R10
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFBTCCAu2gAwIBAgIQS6hSk/eaL6JzBkuoBI110DANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
bmNyeXB0MQwwCgYDVQQDEwNSMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDPV+XmxFQS7bRH/sknWHZGUCiMHT6I3wWd1bUYKb3dtVq/+vbOo76vACFL
YlpaPAEvxVgD9on/jhFD68G14BQHlo9vH9fnuoE5CXVlt8KvGFs3Jijno/QHK20a
/6tYvJWuQP/py1fEtVt/eA0YYbwX51TGu0mRzW4Y0YCF7qZlNrx06rxQTOr8IfM4
FpOUurDTazgGzRYSespSdcitdrLCnF2YRVxvYXvGLe48E1KGAdlX5jgc3421H5KR
mudKHMxFqHJV8LDmowfs/acbZp4/SItxhHFYyTr6717yW0QrPHTnj7JHwQdqzZq3
DZb3EoEmUVQK7GH29/Xi8orIlQ2NAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBS7vMNHpeS8qcbDpHIMEI2iNeHI6DAfBgNVHSMEGDAWgBR5
tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
AQsFAAOCAgEAkrHnQTfreZ2B5s3iJeE6IOmQRJWjgVzPw139vaBw1bGWKCIL0vIo
zwzn1OZDjCQiHcFCktEJr59L9MhwTyAWsVrdAfYf+B9haxQnsHKNY67u4s5Lzzfd
u6PUzeetUK29v+PsPmI2cJkxp+iN3epi4hKu9ZzUPSwMqtCceb7qPVxEbpYxY1p9
1n5PJKBLBX9eb9LU6l8zSxPWV7bK3lG4XaMJgnT9x3ies7msFtpKK5bDtotij/l0
GaKeA97pb5uwD9KgWvaFXMIEt8jVTjLEvwRdvCn294GPDF08U8lAkIv7tghluaQh
1QnlE4SEN4LOECj8dsIGJXpGUk3aU3KkJz9icKy+aUgA+2cP21uh6NcDIS3XyfaZ
QjmDQ993ChII8SXWupQZVBiIpcWO4RqZk3lr7Bz5MUCwzDIA359e57SSq5CCkY0N
4B6Vulk7LktfwrdGNVI5BsC9qqxSwSKgRJeZ9wygIaehbHFHFhcBaMDKpiZlBHyz
rsnnlFXCb5s8HKn5LsUgGvB24L7sGNZP2CX7dhHov+YhD+jozLW2p9W4959Bz2Ei
RmqDtmiXLnzqTpXbI+suyCsohKRg6Un0RC47+cpiVwHiXZAW+cn8eiNIjqbVgXLx
KPpdzvvtTnOPlC7SQZSYmdunr3Bf9b77AiC/ZidstK36dRILKz7OA54=
-----END CERTIFICATE-----

Share

  • Registered: 2022-05-24
  • Posts: 31

Re: Simple SSL connection providing root certs

Hi rocotocloc

Thank you very much for sharing the the code sample and your observations. That's really helpful. I have been able to reproduce the problem you are seeing, but only have a partial solution.

Per our related discussion at the other thread:

https://www.wolfssl.com/forums/post8388.html

I think the primary problem is an issue with either the certs and/or the user_settings.h

Could you please share your user_settings.h either here, and/or send to support [at] wolfssl.com ?

I've put together a sample that works with TLS 1.2 here:

https://github.com/gojimmypi/wolfssl/tr … ssl_client

Your code is in the `other.c` source file:

https://github.com/gojimmypi/wolfssl/bl … in/other.c

See the limited certs that I am using here:

https://github.com/gojimmypi/wolfssl/bl … rts.pem#L1

TLS 1.3 is considerably more strict, and I've not yet been able to assemble to proper certs that will work.

I'll work on this more tomorrow, just wanted to reply here & share my progress. It is an interesting problem.

Share

  • Registered: 2025-06-13
  • Posts: 8

Re: Simple SSL connection providing root certs

Hi gojimmypi,

Definitely major problem was related to lack of #define directives in user_settings.h. I only had defined #DEBUG_WOLFSSL and #HAVE_SNI but you have all these:

#define WOLFSSL_ESP_NO_WATCHDOG 1
#define DEBUG_WOLFSSL
#define DEBUG_WOLFSSL_VERBOSE
#define DEBUG_WOLFSSL_SHA_MUTEX
#define WOLFSSL_DEBUG_IGNORE_ASN_TIME
#define ASN_ALLOW_0_SERIAL
#define HAVE_SNI
#define WOLFSSL_ALT_CERT_CHAINS
#define HAVE_ECC
#define HAVE_X509
#define WOLFSSL_TLS13
#define WOLFSSL_TLS12

/* the root CA is using RSA */
#define HAVE_RSA
#define WOLFSSL_KEY_GEN
#define WC_RSA_BLINDING
#define FP_MAX_BITS 8192

After setting these same directives I can say my project is now working and I can connect to my website by using the appropriate root certificate, thank you very much.

Anyways let me share with you a couple of points. It'll be kind of a long post but just to clarify everything.

In order to validate the certificate chain received from the server, I understand I just have to add the root cert to validate the latest certificate in the chain received, right?

This works like this for google.com as in this example. If I inspect the chain received with openssl, I can see the latest certificate in the chain is "GTS Root R1":

2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----

This "GTS Root R1" is issued by "GlobalSign Root CA" so just adding this certificate is enough and it works. This is one of 3 certificates you added in your example but if you keep just this one it still works. Fine.

GlobalSign Root CA
============
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----


The same applies for my website "lavnetremote.com". The last certificate in the chain is "R11":

1 s:C = US, O = Let's Encrypt, CN = R11
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFBjCCAu6gAwIBAgIRAIp9PhPWLzDvI4a9KQdrNPgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAzMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDEMMAoGA1UEAxMDUjExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuoe8XBsAOcvKCs3UZxD5ATylTqVhyybKUvsVAbe5KPUoHu0nsyQYOWcJ
DAjs4DqwO3cOvfPlOVRBDE6uQdaZdN5R2+97/1i9qLcT9t4x1fJyyXJqC4N0lZxG
AGQUmfOx2SLZzaiSqhwmej/+71gFewiVgdtxD4774zEJuwm+UE1fj5F2PVqdnoPy
6cRms+EGZkNIGIBloDcYmpuEMpexsr3E+BUAnSeI++JjF5ZsmydnS8TbKF5pwnnw
SVzgJFDhxLyhBax7QG0AtMJBP6dYuC/FXJuluwme8f7rsIU5/agK70XEeOtlKsLP
Xzze41xNG/cLJyuqC0J3U095ah2H2QIDAQABo4H4MIH1MA4GA1UdDwEB/wQEAwIB
hjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwEgYDVR0TAQH/BAgwBgEB
/wIBADAdBgNVHQ4EFgQUxc9GpOr0w8B6bJXELbBeki8m47kwHwYDVR0jBBgwFoAU
ebRZ5nu25eQBc4AIiMgaWPbpm24wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAC
hhZodHRwOi8veDEuaS5sZW5jci5vcmcvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMCcG
A1UdHwQgMB4wHKAaoBiGFmh0dHA6Ly94MS5jLmxlbmNyLm9yZy8wDQYJKoZIhvcN
AQELBQADggIBAE7iiV0KAxyQOND1H/lxXPjDj7I3iHpvsCUf7b632IYGjukJhM1y
v4Hz/MrPU0jtvfZpQtSlET41yBOykh0FX+ou1Nj4ScOt9ZmWnO8m2OG0JAtIIE38
01S0qcYhyOE2G/93ZCkXufBL713qzXnQv5C/viOykNpKqUgxdKlEC+Hi9i2DcaR1
e9KUwQUZRhy5j/PEdEglKg3l9dtD4tuTm7kZtB8v32oOjzHTYw+7KdzdZiw/sBtn
UfhBPORNuay4pJxmY/WrhSMdzFO2q3Gu3MUBcdo27goYKjL9CTF8j/Zz55yctUoV
aneCWs/ajUX+HypkBTA+c8LGDLnWO2NKq0YD/pnARkAnYGPfUDoHR9gVSp/qRx+Z
WghiDLZsMwhN1zjtSC0uBWiugF3vTNzYIEFfaPG7Ws3jDrAMMYebQ95JQ+HIBD/R
PBuHRTBpqKlyDnkSHDHYPiNX3adPoPAcgdF3H2/W0rmoswMWgTlLn1Wu0mrks7/q
pdWfS6PJ1jty80r2VKsM/Dj3YIDfbjXKdaFU5C+8bhfJGqU3taKauuz0wHVGT3eo
6FlWkWYtbt4pgdamlwVeZEW+LM7qZEJEsMNPrfC03APKmZsJgpWCDWOKZvkZcvjV
uYkQ4omYCTX5ohy+knMjdOmdH9c7SpqEWBDC86fiNex+O0XOMEZSa8DA
-----END CERTIFICATE-----


Which is issued by "ISRG Root X1", so if I just "ISRG Root X1" certificate, this also works:

ISRG Root X1
============
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAwTzELMAkGA1UE
BhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQD
EwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQG
EwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMT
DElTUkcgUm9vdCBYMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54r
Vygch77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+0TM8ukj1
3Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6UA5/TR5d8mUgjU+g4rk8K
b4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sWT8KOEUt+zwvo/7V3LvSye0rgTBIlDHCN
Aymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyHB5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ
4Q7e2RCOFvu396j3x+UCB5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf
1b0SHzUvKBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWnOlFu
hjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTnjh8BCNAw1FtxNrQH
usEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbwqHyGO0aoSCqI3Haadr8faqU9GY/r
OPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CIrU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4G
A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY
9umbbjANBgkqhkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ3BebYhtF8GaV
0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KKNFtY2PwByVS5uCbMiogziUwt
hDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJw
TdwJx4nLCgdNbOhdjsnvzqvHu7UrTkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nx
e5AW0wdeRlN8NwdCjNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZA
JzVcoyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq4RgqsahD
YVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPAmRGunUHBcnWEvgJBQl9n
JEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57demyPxgcYxn/eR44/KJ4EBs+lVDR3veyJ
m+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----


So far so good but I found some examples where this doesn't work and I don't know why.

Let's check for example the website "as.com" which uses the same root cert of my website, this is the latest certificate in the chain:

-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = R10
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFBTCCAu2gAwIBAgIQS6hSk/eaL6JzBkuoBI110DANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
bmNyeXB0MQwwCgYDVQQDEwNSMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDPV+XmxFQS7bRH/sknWHZGUCiMHT6I3wWd1bUYKb3dtVq/+vbOo76vACFL
YlpaPAEvxVgD9on/jhFD68G14BQHlo9vH9fnuoE5CXVlt8KvGFs3Jijno/QHK20a
/6tYvJWuQP/py1fEtVt/eA0YYbwX51TGu0mRzW4Y0YCF7qZlNrx06rxQTOr8IfM4
FpOUurDTazgGzRYSespSdcitdrLCnF2YRVxvYXvGLe48E1KGAdlX5jgc3421H5KR
mudKHMxFqHJV8LDmowfs/acbZp4/SItxhHFYyTr6717yW0QrPHTnj7JHwQdqzZq3
DZb3EoEmUVQK7GH29/Xi8orIlQ2NAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBS7vMNHpeS8qcbDpHIMEI2iNeHI6DAfBgNVHSMEGDAWgBR5
tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
AQsFAAOCAgEAkrHnQTfreZ2B5s3iJeE6IOmQRJWjgVzPw139vaBw1bGWKCIL0vIo
zwzn1OZDjCQiHcFCktEJr59L9MhwTyAWsVrdAfYf+B9haxQnsHKNY67u4s5Lzzfd
u6PUzeetUK29v+PsPmI2cJkxp+iN3epi4hKu9ZzUPSwMqtCceb7qPVxEbpYxY1p9
1n5PJKBLBX9eb9LU6l8zSxPWV7bK3lG4XaMJgnT9x3ies7msFtpKK5bDtotij/l0
GaKeA97pb5uwD9KgWvaFXMIEt8jVTjLEvwRdvCn294GPDF08U8lAkIv7tghluaQh
1QnlE4SEN4LOECj8dsIGJXpGUk3aU3KkJz9icKy+aUgA+2cP21uh6NcDIS3XyfaZ
QjmDQ993ChII8SXWupQZVBiIpcWO4RqZk3lr7Bz5MUCwzDIA359e57SSq5CCkY0N
4B6Vulk7LktfwrdGNVI5BsC9qqxSwSKgRJeZ9wygIaehbHFHFhcBaMDKpiZlBHyz
rsnnlFXCb5s8HKn5LsUgGvB24L7sGNZP2CX7dhHov+YhD+jozLW2p9W4959Bz2Ei
RmqDtmiXLnzqTpXbI+suyCsohKRg6Un0RC47+cpiVwHiXZAW+cn8eiNIjqbVgXLx
KPpdzvvtTnOPlC7SQZSYmdunr3Bf9b77AiC/ZidstK36dRILKz7OA54=
-----END CERTIFICATE-----


As you can see, the issuer is also "ISRG Root X1", the same root certificate from Let's Encrypt I'm using in my website. However, if you try to connect to "as.com" with "ISRG Root X1" certificate, it fails.

Then I just used the complete bundle from Mozilla and I observed that it works so I just deleted cert by cert until getting the root cert needed for this site. It's this one:

GlobalSign Root CA - R3
============
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4
GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbF
NpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwM
zE4MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzET
MBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQY
JKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2Ec
WtiHL8RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUh
hB5uzsTgHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL
0gRgykmmKPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65
TpjoWc4zdQQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rU
AVSNECMWEZXriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCA
wEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNv
AUKr+yAzv95ZURUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8
dEe3jgr25sbwMpjjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw
8lo/s7awlOqzJCK6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0
095MJ6RMG3NzdvQXmcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVE
TI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02
JQZR7rkpeDMdmztcpHWD9f
-----END CERTIFICATE-----

But I cannot see this certificate anywhere in the chain. It works if you just type this only certificate, even if the "ISRG Root X1" is not present (???)


Also just another different case with the website "marca.com". In this case I am always getting "ASN_AFTER_DATE_E, -151, ASN date error, current date after" no matter what certificates I use. I cannot see any problem with dates when inspecting the chain received with openssl.



Now another doubt related to user_settings.h file. Where to define custom #define properties in my project?

I am using wolfSSL through ESP Component Registry.

For these tests I am setting the #define diferectives in the file user_settings contained in the downloaded component: "my_project\...\managed_components\wolfssl__wolfssl\include"

But this folder is out of the repository so it doesn't seem to be the correct place.

I can also see a README.md inside this folder that says:

# ./include

The wolfSSL-related `components/[name]/include` directory should be empty for all components except wolfssl.

See wolfssl for the `config.h` and `user_settings.h` files to publish.

Files in this directory are renamed with `.bak` suffixes when performing publish-time build checks.

But it's not clear to me what this means. I tried to put a copy of user_settings.h as a local component in "myproject/components/wolfssl/include" according to these lines of the CMakeLists.txt

# wolfSSL user_settings.h may be in the local project.
    # TODO check if exists and possibly set to ESP-IDF
    set(WOLFSSL_PROJECT_DIR "${CMAKE_HOME_DIRECTORY}/components/wolfssl")
    message(STATUS "WOLFSSL_PROJECT_DIR TEST = ${WOLFSSL_PROJECT_DIR}")

    string(REPLACE "/" "//" STR_WOLFSSL_PROJECT_DIR "${WOLFSSL_PROJECT_DIR}")
    add_compile_definitions(WOLFSSL_USER_SETTINGS_DIR="${STR_WOLFSSL_PROJECT_DIR}/include/user_settings.h")
    message(STATUS "Added definition for user_settings.h: -DWOLFSSL_USER_SETTINGS_DIR=\"${STR_WOLFSSL_PROJECT_DIR}//include//user_settings.h\"")

but then I get an error during compilation time because you cannot have wolfSSL in two different folders at the same time.

I also read this discussion (https://github.com/wolfSSL/wolfssl/issues/7969) and the solution seems to be using sdkconfig properties file?

For example I can see you already have this config property: "CONFIG_WOLFSSL_ALT_CERT_CHAINS", which is the equivalent of "#define WOLFSSL_ALT_CERT_CHAINS".

What about the rest of the #define directives we added in this example that doesn't seem to have an equivalent in sdkconfig? Where should I set them?


Thank you very much again for your help.

Share

  • Registered: 2022-05-24
  • Posts: 31

Re: Simple SSL connection providing root certs

Hi rocotocloc -

can say my project is now working and I can connect to my website by using the appropriate root certificate,

Yay! nicely done.

One of the things to be aware of for some CDN / load balanced sites such as `google.com` is that a different ISP may have a different cert chain. My ESP32 was connecting directly, my computer via VPN. For example, each would see a different result for:

openssl s_client -connect www.google.com:443 -showcerts -servername www.google.com < /dev/null

The root cause was the FP_MAX_BITS. I had it set to 4096, but that's for only a 2048 bit (the size needs to hold two operands!)

Since some of the certs use RSA, these are needed:

#define HAVE_RSA
#define FP_MAX_BITS (2 * 4096)

I put back your original curl file and confirmed it is working:

https://curl.se/ca/cacert.pem

I have this all resolved in the latest commit on my sample app:

https://github.com/gojimmypi/wolfssl/tr … ssl_client

I realize this is not at all intuitive, so I put together this PR that should make certificate troubleshooting vastly more easy:

https://github.com/wolfSSL/wolfssl/pull/8902

With the PR, when the `FP_MAX_BITS` is found to be too small at runtime, and when `WOLFSSL_DEBUG_CERTS` is enabled, a message such like this will be displayed:

I (15765) wolfssl: TFM fp_exptmod_nct failed: P.used (128) > (FP_SIZE/2); FP_SIZE: 136; FP_MAX_SIZE: 4096
I (15773) wolfssl: Consider adjusting current FP_MAX_BITS: 4096

Answers to your specific questions:

Where to define custom #define properties in my project?

All settings should be in the `user_settings.h`. There should be only one file, located in

[project]\components\wolfssl\include\user_settings.h

See the reference template project:

https://github.com/wolfSSL/wolfssl/tree … s/template

I am using wolfSSL through ESP Component Registry.

This will be a little tricky, as the registered components don't like to be changed. There will be instruction at build time to convert to a non-managed component.

major problem was related to lack of #define directives in user_settings.h but you have all these:

Oh, some of those were just for testing. Sorry for the confusion there. The one in the working commit, above, should be cleaned up now.

So far so good but I found some examples where this doesn't work and I don't know why.

I'm pretty sure this is the RSA and max bit settings.

For example I can see you already have this config property: "CONFIG_WOLFSSL_ALT_CERT_CHAINS", which is the equivalent of "#define WOLFSSL_ALT_CERT_CHAINS".

The wolfSSL setting is `WOLFSSL_ALT_CERT_CHAINS`. Macros with a `CONFIG_`prefix came from the ESP-IDF menuconfig via Kconfig.

Not clear what this means (in component README):

- The wolfSSL-related `components/[name]/include` directory should be empty for all components except wolfssl.

There are other components such as wolfssh and wolfmqtt; ONLY wolfssl should have a `user_settings.h` in the respective include directory

- Files in this directory are renamed with `.bak` suffixes when performing publish-time build checks.

This is intended for wolfssl maintainers. I'll make this more clear in future releases. It refereces what happens when components are published to the ESP Registry.


Please let me know if this answers all of your questions or if I can be of further assistance.

I'll be working more on additional `WOLFSSL_DEBUG_CERTS` functionality. Open to suggestions for other diagnostics.

Best Regards & Have a great weekend!

Jim

Share

  • Registered: 2025-06-13
  • Posts: 8

Re: Simple SSL connection providing root certs

Hi @gojimmypi,

Thanks again for all your support, things are much clearer now.

Just one clarification regarding user_settings.h.

Since I am using ESP Component Registry right now, wolfSSL is installed in "my_project\managed_components\wolfssl__wolfssl"

So I cannot place user_settings.h under "[project]\components\wolfssl\include\user_settings.h" or I get this error from CMakeLists.txt:

message(FATAL_ERROR "\nPlease use either the ESP Registry Managed Component or the wolfSSL component directory but not both.\n"
                        "If removing the ./managed_components/wolfssl__wolfssl directory, remember to also remove "
                        "or rename the idf_component.yml file typically found in ./main/")

So in this case I must use sdkconfig to tune wolfSSL, like setting "CONFIG_WOLFSSL_ALT_CERT_CHAINS=y" in sdkconfig file instead of "#define WOLFSSL_ALT_CERT_CHAINS" in user_settings.h. Is this correct? (I can see these properties end up in the file sdkconfig.h that is included from user_settings.h)

My only doubt here is that not all #define directives have their equivalent in the sdkconfig file, for example "#define HAVE_SNI". So how should I set this one in case I needed it? Should exist something like "CONFIG_HAVE_SNI" in sdkconfig?

Thanks again and forgive me for insisting.

Share

  • Registered: 2022-05-24
  • Posts: 31

Re: Simple SSL connection providing root certs

Hi rocotocloc -

Glad to help!

Just one clarification regarding user_settings.h.

I should have been more clear: the wolfssl user_settings.h needs to be in the wolfssl component directory, which may vary depending on if it is a managed component or not:

[project]\components\wolfssl\include\user_settings.h

  // or

[project]\managed_components\wolfssl__wolfssl\include\user_settings.h

  // or (for completeness, if not Managed Component and installed to ESP-IDF)

[ESP-IDF]\[version]\components\wolfssl\include\user_settings.h

And as you discovered, the Managed Component source is "locked" and is required to be converted to a non-managed component if contents changed. This includes the `user_settings.h`. There must also be exactly one wolfssl component throughout the entire toolchain.

See the docs:

https://docs.espressif.com/projects/esp … ystem.html

like setting "CONFIG_WOLFSSL_ALT_CERT_CHAINS=y" in sdkconfig

Somewhat. The sdkconfig file is auto-generated. I suggest you put desired default settings in the `sdkconfig.defaults` file.

My only doubt here is that not all #define directives have their equivalent in the `sdkconfig` file

Things like enabling WOLFSSL_ALT_CERT_CHAINS must be done via the `idy.py menuconfig` for Managed Components, which in turn means there must be Kconfig logic for the setting.

NOW is a good time to put in a request for any new Kconfig settings! smile We'll be having a release in the near future, so if you'd like anything specific to be included, please let me know right away and/or send a message to support [at] wolfssl.com

Cheers

Jim

Share

8 Reply by rocotocloc (edited by rocotocloc 2025-06-25 22:35:43)

  • Registered: 2025-06-13
  • Posts: 8

Re: Simple SSL connection providing root certs

Hi @gojimmypi,

Thanks, now it's all clear to me, just wanted to clarify how to set these custom properties.

Well, at the moment I don't need any extra properties to be set in sdkconfig since my project is working with default settings (since I am only connecting to my server from ESP32, I'll finally use a self-signed certificate and everything is working fine now). Anyways I understand that you should have in sdkconfig all the properties available so it's easy to tune wolfSSL when using the ESP Component Registry.

Thank you for your help!

Share