Topic: Communicating with the Google Accounts' Server

Hello everybody,

first of all, I am a complete beginner in secure communication over the internet - just that you know. Right now I am trying to implement a communication with the Google Accounts' Server (https://accounts.google.com) to be able to authorize with the server using OAuth 2.0 as described here: https://developers.google.com/accounts/ … orDevices. My platform is a x86-64 running Win7, coding in C / C++ with Visual Studio.

The source of my problems seems to be the CA certificate. What I did: I went to https://accounts.google.com with my Browser (Chrome) and exported the Certificate to a DER-coded binary X.509 file (*.cer). In my program I called CyaSSL_CTX_use_certificate_file(ctx, "..\\google_ca.cer", SSL_FILETYPE_RAW). When I try to send something the CyaSSL_connect() fails with the code -155.

Here is the debug output:

CyaSSL Entering CyaSSL_Init
CyaSSL Entering CYASSL_CTX_new
CyaSSL Leaving CYASSL_CTX_new, return 0
CyaSSL Entering CyaSSL_CTX_use_certificate_file
CyaSSL Entering SSL_new
CyaSSL Leaving SSL_new, return 0
CyaSSL Entering SSL_set_fd
CyaSSL Leaving SSL_set_fd, return 1
CyaSSL Entering SSL_connect()
connect state: CLIENT_HELLO_SENT
received record layer msg
CyaSSL Entering DoHandShakeMsg()
processing server hello
CyaSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
CyaSSL Entering DoHandShakeMsg()
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
Found Basic CA constraint
Found optional critical flag, moving past
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
Veriying Peer's cert
Found Basic CA constraint
Found optional critical flag, moving past
About to verify certificate signature
No CA signer to verify with
Failed to verify Peer's cert
        No callback override availalbe, fatal
CyaSSL Leaving DoHandShakeMsg(), return -155
CyaSSL error occured, error = -155

Here is my code:

    CyaSSL_Debugging_ON();
    if(CyaSSL_Init() != 0)
        exit("Error: CyaSSL_Init");

    CYASSL_CTX* ctx;

    if ( (ctx = CyaSSL_CTX_new(CyaTLSv1_client_method())) == NULL)
        exit("CyaSSL_CTX_new error.");

    if (CyaSSL_CTX_use_certificate_file(ctx, "..\\google_ca.cer", SSL_FILETYPE_RAW) != SSL_SUCCESS)
        exit("Error loading CA cert, please check the file.");
    
    // Socket- / TCP-Stuff
    WSADATA wsaData;
    if(WSAStartup(MAKEWORD(2, 2), &wsaData) != 0)
        exit("Error: WSAStartup", WSAGetLastError());

    sockaddr_in addr;
    addr.sin_family = AF_INET;
    addr.sin_addr.s_addr = inet_addr("173.194.69.84");
    addr.sin_port = htons(443);    
    
    SOCKET sock = socket(AF_INET, SOCK_STREAM, 0);
    if(sock == INVALID_SOCKET)
        exit("Error: Invalid socket", WSAGetLastError());

    if(connect(sock, (SOCKADDR*) &addr, sizeof(addr)) != 0)
        exit("Error: connect", WSAGetLastError());
    // Socket- / TCP-Stuff

    CYASSL* ssl;
    
    if ((ssl = CyaSSL_new(ctx)) == NULL)
        exit("CyaSSL_new error.");

    CyaSSL_set_fd(ssl, sock);

    if(CyaSSL_connect(ssl) != 0)
        exit("Error: CyaSSL_connect");
    
    // READ WRITE:
    char recvbuf[4096];
    int result;

    if((result = CyaSSL_write(ssl, query, strlen(query))) == -1)
        exit("Error: CyaSSL_write", CyaSSL_get_error(ssl, result));

    if((result = CyaSSL_read(ssl, recvbuf, 4096)) == -1)
        exit("Error: CyaSSL_read", CyaSSL_get_error(ssl, result));
    
    CyaSSL_free(ssl);

    CyaSSL_CTX_free(ctx);
    CyaSSL_Cleanup();
    
    // Socket- / TCP-Stuff
    closesocket(sock);
    WSACleanup();
    // Socket- / TCP-Stuff

Can anybody help me?

Thanks. Sven

Share

Re: Communicating with the Google Accounts' Server

Hi Sven,

Which certificate did you download from https://accounts.google.com/?  When I looked at the cert chain in my browser, this is the chain I see:

A.  Class 3 Public Primary Certification Authority
     B.  Thawte SGC CA
          C.  www.google.com

Regards,
Chris

Re: Communicating with the Google Accounts' Server

Hi Chris,
I tried to all of them, none of them worked. Using cURL I got a working connection using the following *.pem file: http://curl.haxx.se/ca/cacert.pem. Unfortunately I get a parsing error, when I try to open the file with wolfSSL [method: CyaSSL_CTX_load_verify_locations(ctx, "..\\cacert.pem", 0)]. After a lot of successful import actions the debug output says:

CyaSSL Leaving AddCA, return -148

That error occurs at the following cert: COMODO ECC Certification Authority.

Any further suggestions?!

Share

Re: Communicating with the Google Accounts' Server

Hi Sven,

I was able to verify that wolfSSL can connect to the accounts.google.com server on port 443.  I used Firefox to download the root CA certificate from the https://accounts.google.com page.  My version of Firefox downloaded it in PEM format, which wolfSSL is able to use directly.  I have attached the root CA which I used (VerisignClass3PublicPrimaryCA.pem, "Class 3 Public Primary Certification Authority").

To test, I used wolfSSL's example client application (./examples/client/client), with a few slight modifications:

1)  I placed the above CA certificate into wolfSSL's certs directory and loaded it with the CyaSSL_CTX_load_verify_locations(...) function in ./examples/client/client.c:

CyaSSL_CTX_load_verify_locations(ctx, "./certs/VerisignClass3PublicPrimaryCA.pem", 0)

2)  I modified the client example to verify the peer:

CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);

3)  From the wolfSSL home directory, I tried connecting to the accounts.google.com server on port 443 using the example client:

./examples/client/client accounts.google.com 443

You can see that wolfSSL successfully verified the peer:

CyaSSL Entering DoHandShakeMsg()
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
Found Basic CA constraint
Found optional critical flag, moving past
About to verify certificate signature
Adding CA from chain
Adding a CA
Found Basic CA constraint
Found optional critical flag, moving past
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
Veriying Peer's cert
Found Basic CA constraint
Found optional critical flag, moving past
About to verify certificate signature
Verified Peer's cert
CyaSSL Leaving DoHandShakeMsg(), return 0

Can you verify that this works for you?

Thanks,
Chris

Post's attachments

VerisignClass3PublicPrimaryCA.pem 848 b, 3 downloads since 2012-05-07 

You don't have the permssions to download the attachments of this post.

Re: Communicating with the Google Accounts' Server

Hi Chris,

thanks for your help! I forgot the call of the function CyaSSL_CTX_set_verify (What exactly does it do, the manual does not actually say?!) and did not use the certificate in *.PEM format. Now it works!

Share

Re: Communicating with the Google Accounts' Server

Hi Sven,

Glad to hear you got things working!

CyaSSL_CTX_set_verify sets options for how peer validation is done in wolfSSL's embedded ssl.  It is very similar to OpenSSL's SSL_CTX_set_verify.  They've got a pretty good man page on it which you can view if you run the "man SSL_CTX_set_verify" command on your terminal if you have the OpenSSL man pages installed, or alternatively you can view it here: http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html.

- Chris