You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by petrich
Pages 1
John, thank you for your reply.
I used wolfSSL 3.4.6.
Configure was:
./configure C_EXTRA_FLAGS="-DNO_CYASSL_SERVER" --enable-opensslextra --enable-sni --enable-sessioncerts --enable-hc128 --with-ntru=/usrThe same configure but compiled with the latest github sources (3.4.8) it works now.
Thank you again
Greetings
Hans-Juergen Petrich
Dear Team,
Does wolfSSL have, in this case, any altname check issues?
wget http://www.startssl.com/certs/ca.pem
examples/client/client -p 443 -m -v 1 -A ./ca.pem -h jabber.se
Fails with:
err = -322, peer subject name mismatch
wolfSSL error: SSL_connect failed
While
examples/client/client -p 443 -m -v 1 -A ./ca.pem -h www.jabber.se
Works.
peer's cert info:
issuer : /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
subject: /C=SE/CN=www.jabber.se/emailAddress=postmaster@jabber.se
altname = jabber.se
altname = www.jabber.se
serial number:10:36:d9
SSL version is TLSv1
SSL cipher suite is TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Any ideas why "altname = jabber.se" is being ignored?
Thank you in advance for help
Hans-Juergen Petrich
Hi Todd
In my test:
wget http://www.startssl.com/certs/ca.pem
examples/client/client -h jabber.se -p 443 -v 1 -A ./ca.pem -m
Fails (on my local Windows7 machine) with:
err = -322, peer subject name mismatch
yassl error: SSL_connect failed
While
examples/client/client -h www.jabber.se -p 443 -v 1 -A ./ca.pem -m
Works.
issuer : /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
subject: /C=SE/CN=www.jabber.se/emailAddress=postmaster@jabber.se
altname = jabber.se
altname = www.jabber.se
serial number:10:36:d9
In the (StartSSL) cert, the CN=www.jabber.se and altname=jabber.se... so it should work... should'nt it?
Or did i miss something?
Thank you for your time.
Greetings Hans-Jürgen Petrich
PS: client.exe was compiled on windows7(64bit) with mwing32 with the following ./configure
./configure C_EXTRA_FLAGS="-DFP_MAX_BITS=8192" --host=i386-pc-mingw32 --enable-fastmath --enable-opensslextra --enable-sni --enable-sha512 --enable-sha --enable-aesgcm --enable-aesccm --enable-ecc --enable-sessioncerts --enable-hc128 && make
Thank you John... exakt what i was looking for.
Greetings Hans-Jürgen Petrich :-)
Hallo Todd, thank you for your reply.
Ohh, i have to check it again (btw: i'm using the Version 3.2.0).
Maybe it's because i have to deal with wildcard* (alt)names in the cert. Does CyaSSL_check_domain_name() support wildcard (alt)names?
Thank you very much für your help.
Best greetings
Hans-Jürgen Petrich
Hallo John,
Are you looking at just the exports from the library?
Yes. The exports (for this functions http://www.yassl.com/yaSSL/Docs-cyassl- … ility.html ) are missing in libwolfssl-5.dll with the above ./configure && make (under Windows)
The build of libwolfssl-5.dll runs otherwise fine. Only the openssl-compatibility (from the above link) functions are not exported from wolfSSL embedded SSL.
Did i miss something in the ./configure parameter maybe?
Thank you and greetings
Hans-Jürgen Petrich
Dear Team
our build is on windows 7 (64bit) via mingw32(bit), configured with:
./configure C_EXTRA_FLAGS="-DFP_MAX_BITS=8192 -DNO_WOLFSSL_SERVER" --host=i386-pc-mingw32 --enable-fastmath --enable-opensslextra --enable-sni
Compiled with no errors but the openssl-compatibility functions (from: http://www.yassl.com/yaSSL/Docs-cyassl- … ility.html ) will not be exported in the libwolfssl-5.dll
All other works fine.
I was looking in the Makefile, and found the -DOPENSSL_EXTRA define flag:
AM_CFLAGS = -DOPENSSL_EXTRA -D_POSIX_THREADS -DHAVE_THREAD_LS -DNDEBUG -DHAVE_AESGCM -DHAVE_AESCCM -DWOLFSSL_SHA512 -DWOLFSSL_SHA384 -DNO_DSA -DHAVE_ECC -DTFM_ECC256 -DECC_SHAMIR -DNO_PSK -DNO_DH -DNO_MD4 -DNO_HC128 -DNO_RABBIT -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DUSE_FAST_MATH -Wall -Wno-unused -O2 -fomit-frame-pointer
Any ideas why the openssl-compatibility functions are not available in the dll?
Thank you
Greetings
Hans-Jürgen Petrich
Dear Team
currently CyaSSL_check_domain_name() does not verify altName's in the cert.
It would be great if have a 3th parameter for this, ie:
CyaSSL_check_domain_name(CYASSL* ssl, const char* dn, int checkAltName)
or similar.
Waht do you think?
Thank you for wolfSSL... 100% Top!
Greetings Hans-Jürgen Petrich
Hi Cuzz,
it seems that your case is an other issue.
Did you try loading the proper certificate authority file with -A ?
I did. And it works.
The cert issuer on this SSL/TLS Server is GeoTrust. So i downloaded: http://www.geotrust.com/resources/root_ … bal_CA.pem first.
wget -O ../../certs/GeoTrust_Global_CA.pem http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem
client.exe -h vpn-students.poly.edu -p 443 -v 1 -A certs/GeoTrust_Global_CA.pemResult:
peer's cert info:
issuer : /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
subject: /C=US/ST=New York/L=Brooklyn/O=Polytechnic Institute of New York University/OU=Information Systems/CN=vpn-students.poly.edu
altname = vpn-students.poly.edu
serial number:01:82:4c
SSL version is TLSv1
SSL cipher suite is TLS_RSA_WITH_AES_256_CBC_SHAShould work with your client.exe also.
Greetings Hans-Jürgen
Chris, thank you for your explanation... very interesting.
Building with the latest github source... it works 
Best greetings... and thank you again for your time
Hans-Jürgen
Hi Yun,
But I did not find the place in the source code where this information is used for validation.
i think you are looking for:
wolfSSL_check_domain_name()
https://github.com/cyassl/cyassl/blob/m … ent.c#L628
and maybe additional also for:
wolfSSL_CTX_load_verify_locations()
https://github.com/cyassl/cyassl/blob/m … ent.c#L535
Greetings Hans-Jürgen
Hi Chris
i hope i'm not wasting your time... but after additional TLS tests with the mentioned SSL/TLS server i'm, currently, not sure anymore where (and why ) i stuck.
I was assuming that the SSL/TLS Server hobana.freenode.net (port 7000) accepting TLSv1 connects only if the client providing a cert.
Because with a client cert it works:
./examples/client/client -h hobana.freenode.net -p 7000 -v 1 -d -c certs/client-cert.pem -k certs/client-key.pemWhile without a client cert it does'nt work:
./examples/client/client -h hobana.freenode.net -p 7000 -v 1 -d -x
(err = -213, revcd alert fatal error)I was double check this then with openssl's client, providing no client cert too and, in wonder, openssl can connect successfully without a client cert:
openssl s_client -connect hobana.freenode.net:7000 -tls1So now i'm, again, not sure why wolfSSL is unable connecting to hobana.freenode.net (port 7000) with TLSv1 without a client cert while openssl can.
Do you have any idea?
Thank you.
Hans-Jürgen :-)
Hi Chris,
can confirm that. Was, as said, my fault.
Background was:
I had some trouble with an SSL/TLS Server (hobana.freenode.net) [using TLSv1 or SSLv3 protocol] where it is required using a client cert if connecting with TLSv1, but if connecting with SSLv3 the Server does not requiring a cert from the client.
Strange anyhow, or?
I was connecting to the server using wolfSSLv23_client_method()... but did'nt load a cert.
Because wolfSSLv23_client_method() is, of course, using TLSv1 first, the SSL_connect() failed with -1.
But was working with wolfSSLv3_client_method().
I wrongly was thinking then something with wolfSSLv23_client_method() is wrong... but did'nt realize that this Server, only in TLSv1, is requiring a client cert, which i not gave. That why the SSL_connect() failed with an alert.
Was testing it then with cacert.org... and the connect failed also. But the connect failed because default was TLSv1.2 ... which cacert does not support....
But now it's all clear
... thank you again for helping, and for wolfSSL embedded SSL!
Greetings
Hans-Jürgen
Ahh, Chris... forget my last post about the wolfSSLv23_client_method() 
... i din't see that /examples/client/client not using wolfSSLv23_client_method() as default, but wolfTLSv1_2_client_method() ... which, of course will fail then on cacert.org
But i (still) have a similar problem with wolfSSLv23_client_method() on a SSLv3/TLSv1 Server... have to check it again.
Hi Chris
I Understand. Thank you very much for your explanation. I was guessing similar.
After defined FP_MAX_BITS >= 8192 it works.
Maybe you could mention it in the API doc's somewhere, ie at wolfSSL_CTX_set_verify() and/or in the INSTALL?
Another question... just for understanding:
If i understand it right, wolfSSLv23_client_method() is meant connecting to a SSL/TLS server with the highest possible SSL/TLS protocol, beginning from TLSv1.2 down to TLSv1.1 -> TLSv1 -> SSLv3
I noticed that if a SSL/TLS Server supports (only) SSLv3 and TLSv1 but not TLSv1.1/TLSv1.2 the connect will failed if using wolfSSLv23_client_method(), but will work only when using wolfTLSv1_client_method() or wolfSSLv3_client_method()
For example cacert.org (Supports SSLv3 and/or TLSv1, but not TLSv1.1/TLSv1.2):
using wolfSSLv23_client_method()
./examples/client/client -h www.cacert.org -p 443 -d
err = -226, record layer version error
yassl error: SSL_connect failedusing wolfSSLv3_client_method():
./examples/client/client -h www.cacert.org -p 443 -d -v 0
SSL version is SSLv3using wolfTLSv1_client_method():
./examples/client/client -h www.cacert.org -p 443 -d -v 1
SSL version is TLSv1While on a SSLv3, TLSv1, TLSv1.1, TLSv1.2 capable server, like google.com, wolfSSLv23_client_method() works fine, ie:
./examples/client/client -h google.com -p 443 -d
SSL version is TLSv1.2So my question is, is there maybe a bug in wolfSSLv23_client_method() or is wolfSSLv23_client_method() meant only for SSLv3/TLSv1 servers, using the highest possible SSL/TLS version?
Thank you for your time.
Greetings
Hans-Jürgen
Hi There
It seems that wolfssl has problems verifying some (but not all) CA Certs if compiled with --enable-fastmath (wich is default)
For example:
unzip -q wolfssl-2.7.0.zip
cd wolfssl-2.7.0
./configure
make
wget http://www.cacert.org/certs/root.crt
./examples/client/client -h www.cacert.org -p 443 -v 1 -A root.crtResult:
err = -188, ASN no signer error to confirm failure
yassl error: SSL_connect failedIf configured with
./configure --disable-fastmathit works.
Result:
SSL version is TLSv1
SSL cipher suite is TLS_RSA_WITH_AES_256_CBC_SHATested on Win7 x64 [AMD K10] with mingGW and Centos6 x64 [INTEL Xeon E31240] with gcc
Could you help?
(btw: Absolut great product... Thank you very much for it)
Greetings
Hans-Jürgen Petrich
Pages 1
wolfSSL - Embedded SSL Library → Posts by petrich
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.020 seconds (96% PHP - 4% DB) with 4 queries