1 Reply by zephrax

(3 replies, posted in wolfSSL)

Hi chrisc, thanks for the response!

I'm working in an application for controlling house lights and another stuff via internet and I don't want unwanted clients controlling that tongue

Finally I made it work loading the required certificates using the following functions:
wolfSSL_CTX_load_verify_locations
wolfSSL_use_certificate_buffer (instead of wolfSSL_CTX_use_certificate_buffer)
wolfSSL_use_PrivateKey_buffer (instead of wolfSSL_CTX_use_PrivateKey_file)

The examples uses the function with CTX prefix, I couldn't make it work.. but using the mentioned functions works well.

Best Regards and thanks a lot!

Go to forum: wolfSSL

2 Topic by zephrax

(3 replies, posted in wolfSSL)

I want to establish a connection between a client using wolfSSL and a server created in NodeJS (using TLS native API - http://nodejs.org/api/tls.html).

It supports TLSv1 + SSLv3.

In the server side I need only to accept clients that has a signed certificate by our own CA certificate.

So I create:

CA Private Key
CA Cert

Client Private Key
Client Cert

Server Private Key
Server Cert

I sign the Client Certificate using the CA Key & Cert and load it into wolfSSL.

In the client I use the following functions to load certificates:

wolfSSL_Init();
        if ( (ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())) == NULL) {
            fprintf(stderr, "wolfSSL_CTX_new error.\n");
            exit(EXIT_FAILURE);
        }

        // wolfSSL_CTX_set_verify(ctx,SSL_VERIFY_NONE,0); <== changing this setting doesn't affect the behavior

        if( (ssl = wolfSSL_new(ctx)) == NULL) {
            fprintf(stderr, "wolfSSL_new error.\n");
            exit(EXIT_FAILURE);
        }

int caStatus= wolfSSL_CTX_load_verify_locations(ctx, "c:\\ca.crt", 0);
int cStatus= wolfSSL_CTX_use_certificate_file(ctx, "c:\\client.crt", SSL_FILETYPE_PEM);
int kStatus= wolfSSL_CTX_use_PrivateKey_file(ctx, "c:\\client.key", SSL_FILETYPE_PEM);

All of these loads successfully and then I verify using: 

int vResult=wolfSSL_CTX_check_private_key(ctx);

And its all okay.. until now.

When I try to connect to the server:

            int lpmkey=wolfSSL_CTX_check_private_key(ctx);
            int rr = wolfSSL_set_fd(ssl, sock);
            int ra = wolfSSL_connect(ssl);
            if (ra != SSL_SUCCESS){
                int ferr=wolfSSL_get_error(ssl,0); // <=== I got the error code -208 (SOCKET_ERROR_E)
                char strerrorr[80];
                wolfSSL_ERR_error_string(ferr,strerrorr); // error state on socket
                exit(EXIT_FAILURE);
            }

I think this happens because the server is strictly expecting a client certificate, and the client never sends it.
On the server side if I don't ask for client certificate (requestCert=false), the negotiation and connection works, but its not validated (cleartextStream.authorized is false).

Just FYI.. heres a snippet of how I start the TLS server:

var options = {
      key: fs.readFileSync('server.key'),
      cert: fs.readFileSync('server.crt'),
      ca: fs.readFileSync('ca.crt'),
      requestCert: true // if I set 'false' here everything works, but without validation
    };
    
    var server = tls.createServer(options, function(cleartextStream) ...

In the server side, I got the following error:

[Error: 140657365727008:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:2528:]

I was debugging wolfSSL library to try to find out this issue.. and I saw that the client never send the certificate to the server.

The server seems that is working well.. if I try to connect to it using CURL, it works and verify everything ok.

~# curl -v -s -k --key client.key --cert client.crt --cacert ca.crt https://localhost

Am I doing something wrong? should I call another function to do this or something like that so the client can send the signed certificate to the server?

Thanks in advance

Go to forum: wolfSSL