1 Reply by j3ll3

(3 replies, posted in wolfSSL)

Hello David,

Thank you for the reply. Attached I have the requested wireshark trace and certificates to reproduce the problem.
Please let me know if you need anything else.

The OCSP responder runs with openssl on ocsp-responder.local with the following command:
openssl ocsp -index ~/ocsp_root_responder/index.txt -port 8080 -rsigner ~/ocsp_root_responder/ocsp_root.cert.pem -rkey ~/ocsp_root_responder/ocsp_root.key.pem -CA /~/ocsp_root_responder/v2g_root.cert.pem -text -ndays 7

Go to forum: wolfSSL

2 Topic by j3ll3

(3 replies, posted in wolfSSL)

For evaluation of wolfSSL I am trying to create a server that supports OCSP stapling.

I expect that the server starts and will send an OCSP request to the OCSP responder so it can cache the OCSP response and staple it to the the certficate when a client connects.

It is the equivalent of the openssl function which works:
openssl s_server -CAfile ~/workspace/v2g_pki/v2g_root/certs/v2g_root.cert.pem -key ~/workspace/v2g_pki/cpo_sub_1/private/cpo_sub_1.key.pem -cert ~/workspace/v2g_pki/cpo_sub_1/certs/cpo_sub_1.cert.pem -accept 11111 -status_verbose

Steps that I made:

1. Compile WolfSSL V4.5.0 on Linux with configuration: --enable-ocsp --enable-ocspstapling2 --enable-debug
2. Created my own PKI with:
- A root certificate
- An OCSP responder certificate (signed by the root CA)
- An intermediate certificate with an OCSP URI to the OCSP responder (signed by the root CA)
3. I verified the PKI with openssl and everything works as expected.
4. I have an OCSP responder running with openssl
5. I have the wolfSSL server running from the examples with: ./server -c ~/workspace/v2g_pki/cpo_sub_1/certs/cpo_sub_1.cert.pem -k ~/workspace/v2g_pki/cpo_sub_1/private/cpo_sub_1.key.pem -A ~/workspace/v2g_pki/v2g_root/certs/v2g_root.cert.pem -d -b
6. Now I run the wolfSSL client (also from the example) to connect to the wolfSSL server with: ./client -h 192.168.2.183 -A ~/v2g_root.cert.pem -x (this works as expected).
7. When I run now the client with OCSP stapling enabled (./client -W 3 -h 192.168.2.183 -A ~/v2g_root.cert.pem -x) I get the following error on the wolfSSL server:

wolfSSL Leaving SendCertificate, return 0
accept state CERT_SENT
wolfSSL Entering SendCertificateStatus
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthInfo
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
No CA signer to verify with
ParseCert failed
wolfSSL Entering FreeOcspRequest
wolfSSL Leaving SendCertificateStatus, return -188
wolfSSL error occurred, error = -188
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -188
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -188
wolfSSL Entering ERR_error_string
SSL_accept error -188, ASN no signer error to confirm failure
wolfSSL error: SSL_accept failed

I made a trace with wireshark and I can't see any OCSP requests/responses. The TLS connection is setup with a Client Hello, Server Hello and Certificate message but then the server closes the TCP connection.
Now I am stuck with the error code 188. Does anyone have any suggestions?

Thank you in advance.

Go to forum: wolfSSL