1 (edited by Joe 2020-12-16 02:33:54)

Topic: Error in using curl and wolfssl to implement HTTPS

Hi everyone,
I am trying to use curl + wolfssl to implement HTTPS on arm linux, but there was an error.
When I use curl + OpenSSL to test the same code, there is no problem at all.

Curl version :7.74.0
Wolfsll version : 3.13.0
Openssl version :1.1.1.1i

The error message is as follows:
==========================================================
[1]About to verify certificate signature
[1]Verified Peer's cert
[1]DomainName match on common name failed
[1]Checking AltNames
[1]     individual AltName check
[1]     individual AltName check
[1]     individual AltName check
[1]     individual AltName check
[1]     individual AltName check
[1]     individual AltName check
[1]     individual AltName check
[1]     individual AltName check
[1]     individual AltName check
[1]     individual AltName check
[1]DomainName match on alt names failed too
[1]growing output buffer

[1]Shrinking output buffer

[0]wolfSSL error occurred, error = 322 line:8854 file:src/ssl.c
*       subject alt name(s) or common name do not match "qnzthome.51110.com"

[1]CTX ref count not 0 yet, no free
[1]Shrinking input buffer

[1]CTX ref count down to 0, doing full free

==========================================================


Part of my test code is as follows:
==========================================================

#define TEST_URL "[url]https://qnzthome.51110.com/[/url]"

int total_size = 0;

static size_t save_response_callback(void *buffer,size_t size,size_t count,void *file_fp)
{
    printf("recv data size :%d, %d byte\n", size, count);
   
    total_size += (size * count);
    return fwrite((char *)buffer, 1, count, (FILE *)file_fp);
}
 
void log_printf(const int level, const char *message)
{
    if(NULL == message) return;
    if(level <= 1)
     printf("[%d]%s\n",level, message);
}

int main(int argc,char *argv[])
{
    CURL * curl;
    CURLcode res;
        

    curl_global_init(CURL_GLOBAL_DEFAULT);
 
    curl_version_info_data *info = curl_version_info(CURLVERSION_NOW);// no need for NULL check
    
    int index = 0;
    while(strlen(info->protocols[index]) != 0)
    {
        printf("%s ", info->protocols[index]);
        index++;
        if(info->protocols[index] == NULL)
            break;
    }
    printf("\n version:%s, ssl version :%s\n", info->version, info->ssl_version);
    
    FILE *fp = fopen("/tmp/nfs/pic.jpg", "w+");
    
    curl = curl_easy_init();
   
    wolfSSL_SetLoggingCb(log_printf);
    wolfSSL_Debugging_ON();

    char errbuf[CURL_ERROR_SIZE];

    if(curl!=NULL){
        printf("URL <%s>\n",TEST_URL);
        
        curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errbuf);

        curl_easy_setopt(curl,CURLOPT_URL,TEST_URL);
        curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,&save_response_callback);
        curl_easy_setopt(curl,CURLOPT_WRITEDATA,(void *)fp);
        curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,1L);
        
        curl_easy_setopt(curl,CURLOPT_CAINFO,"/tmp/nfs/cacert-1.pem");
 
        curl_easy_setopt(curl,CURLOPT_SSL_VERIFYHOST, 2L);
        curl_easy_setopt(curl,CURLOPT_VERBOSE,1);
        curl_easy_setopt(curl,CURLOPT_TIMEOUT,30);
 
        res = curl_easy_perform(curl);
        printf("res : %d, total size %d\n", res, total_size);
        if(res != CURLE_OK){
 
             printf("curl_easy_perform error = %s, %s\n",curl_easy_strerror(res), errbuf);
        }
        curl_easy_cleanup(curl);
    }
    fclose(fp);
}

==========================================================




When porting wolfssl, the configuration is as follows:
==========================================================
./configure --host=${host} --prefix=${wolfssl_path}/wolfssl-3.13.0/install/ --disable-shared --enable-static --enable-tls13 --enable-ecc --enable-debug
==========================================================


Curl is configured as follows:
==========================================================
./configure --prefix=$(pwd)/install/${arch} --build=i686-pc-linux-gnu --host=${host} --enable-optimize --disable-werror --enable-ares=${cares_path}/lib/lib/lib/c-ares-1.17.1/install --enable-shared=no --enable-static=yes --enable-libgcc --disable-ipv6 --enable-versioned-symbols --enable-threaded-resolver --enable-pthreads --disable-verbose --enable-unix-sockets --without-zlib  CFLAGS=-fPIC CPPFLAGS=-fPIC --disable-tftp --disable-ftp --disable-telnet --disable-pop3 --disable-imap --disable-mqtt -disable-smtp --disable-rtsp --disable-smb --with-wolfssl --without-ssl
==========================================================


Please give some clues to help me solve my problems

Thanks in advance

Share

Re: Error in using curl and wolfssl to implement HTTPS

Hi Joe,

It looks like you are using a current version of curl. wolfSSL is currently at version 4.5 (3.13 is 3 years old). Is it possible for you to try with a more recent version of wolfSSL?

Share

3 (edited by Joe 2020-12-16 18:19:53)

Re: Error in using curl and wolfssl to implement HTTPS

jeff wrote:

Hi Joe,

It looks like you are using a current version of curl. wolfSSL is currently at version 4.5 (3.13 is 3 years old). Is it possible for you to try with a more recent version of wolfSSL?

Hi jeff,
Thanks for your response.
I also realized this problem after posting. But I tried the latest version of wolfssl(4.5.0), and it's the same thing.
Do you have any other ideas, such as the configuration option, is there anything wrong?
PS: I tried

curl_ easy_ setopt(curl,CURLOPT_ SSL_ Verifyhost, 2L);

change to

curl_ easy_ setopt(curl,CURLOPT_ SSL_ Verifyhost, 0L);

it can work normally.But I need to verify the domain name.

Share

Re: Error in using curl and wolfssl to implement HTTPS

I've been able to reproduce and saw that a different certificates are being returned.

Building wolfSSL with

--enable-sni

should address this. This includes the server name in the Client Hello so the server will send the appropriate certificate.


Hope that addresses your issue.

Details
Using wireshark I captured the certificates when running

curl -vvI https://qnzthome.51110.com/ --tls-max 1.2
./examples/client/client -h qnzthome.51110.com -p 443 -A /etc/ssl/certs/DigiCert_Global_Root_CA.pem -m -v3

I saw the same certificate in gdb using the example program you had shared with TLS v1.3.

Note if you test with the example client you will need add -S

./examples/client/client -h qnzthome.51110.com -p 443 -A /etc/ssl/certs/DigiCert_Global_Root_CA.pem -m -v3 -S qnzthome.51110.com

Share