Topic: Error while using Secure Renegotiation with HTTPS and client cert auth

Hi everyone,

I'm using WolfSSL to perform an HTTPS request using the client example provided in github (wolfssl/examples/client/).

The endpoint I'm querying is using Certificate Authentication and requires the use of Secure Renegociation.
When the renegotiation happens I get an error from the client and it fails.

When doing it with curl or postman it succeeds using the same key and cert.

The commands:

For the configuration (I had to add extra parameters even with --enable-all to make arrive up to the secure renegotiation)

./configure --enable-all --enable-pkcs11 --enable-asio --enable-harden --enable-debug --enable-static --enable-openssl-extra --enable-secure-renegotiation --enable-enc-then-mac

make -j$(nproc) && ./examples/client/client -h my-hostname.com -p 443 -c /data/cert.pem -k /data/key.pem -d -f -R

...
Doing Leaf CRL check
wolfSSL Entering CheckCertCRL
wolfIO_HttpProcessResponse content type is too short.
Couldn't find CRL for status check
Issuing missing CRL callback
    CRL check not ok
Freeing ASN1 data
Freeing ASN1 OBJECT
Freeing ASN1 data
Freeing ASN1 OBJECT
wolfSSL Entering wolfSSL_EVP_PKEY_free
wolfSSL Entering wolfSSL_RSA_free
wolfSSL_BN_free
wolfSSL_BN_free
wolfSSL_BN_free
wolfSSL_BN_free
wolfSSL_BN_free
wolfSSL_BN_free
wolfSSL_BN_free
wolfSSL_BN_free
wolfSSL Entering wolfSSL_OBJ_nid2obj()
wolfSSL Entering wolfSSL_EVP_PKEY_free
wolfSSL Entering wolfSSL_d2i_PUBKEY
wolfSSL Entering wolfSSL_EVP_PKEY_new_ex
wolfSSL Entering wolfSSL_RSA_new
wolfSSL Entering wolfSSL_RSA_LoadDer
Entering SetRsaExternal
Entering SetIndividualExternal
wolfSSL_BN_new
Entering SetIndividualExternal
wolfSSL_BN_new
wolfSSL Entering wolfSSL_OBJ_nid2obj()
Not verifying certificate key usage
Not verifying certificate ext key usage
Ignoring CRL problem based on verify setting
wolfSSL Leaving ProcessPeerCerts, return 0
wolfSSL Leaving DoCertificate, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
Bundled encrypted messages, remove middle pad
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server key exchange
wolfSSL Entering DoServerKeyExchange
wolfSSL Entering RsaVerify
wolfSSL Leaving RsaVerify, return 51
wolfSSL Leaving DoServerKeyExchange, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
Bundled encrypted messages, remove middle pad
received record layer msg
got HANDSHAKE
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate request
wolfSSL Entering DoCertificateRequest
wolfSSL Leaving DoCertificateRequest, return 0
Shrinking input buffer

wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
More messages in record
Bundled encrypted messages, remove middle pad
    middle padding error
wolfSSL error occurred, error = 313 line:11597 file:src/ssl.c
wolfSSL Leaving wolfSSL_negotiate, return -1
wolfSSL Leaving wolfSSL_read_internal(), return -1
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -313
wolfSSL Entering ERR_error_string

Example of the command used to generate the key:

openssl genrsa -aes128 -out /data/key.key 2048
openssl rsa -in  /data/key.key -out  /data/key.key
openssl rsa -in  /data/key.key -out /data/key.pem -outform PEM               

Any idea about what I'm missing, doing wrong?

Thanks

Share

Re: Error while using Secure Renegotiation with HTTPS and client cert auth

@remix,

Try adding dash capitol c (-C) to disable the requirement to load a certificate revocation list. Let us know if this resolves the CRL check failing.

Warm Regards,

K

Re: Error while using Secure Renegotiation with HTTPS and client cert auth

Thanks for your answer,

I just tried with the -C option but I still have the same error


Kaleb J. Himes wrote:

@remix,

Try adding dash capitol c (-C) to disable the requirement to load a certificate revocation list. Let us know if this resolves the CRL check failing.

Warm Regards,

K

Share