Topic: Two way authentication issue resolved in wolfSSL

2008-01-03 10:18:54 UTC
Hello,

I was trying to do an SSL connection from an embedded arm-linux device to a Custom Server using openssl. I did eventually succeed while doing unit tests, but when I added it to the main code repository the application would simply run out of memory (due to openssl's heavy memory footprint).

I accidentally bumped into yassl and this looks like it's going to be my saviour because wow, the footprint is incredibly small.

But I'm having the following problems:

1.) Latest stable download does not successfully make a connection to the Custom Server. The Custom Server ONLY supports two-way authentication. I do not have access to the custom server code. From reading the forum posts, I gathered that the latest stable does not support two-way authentication which is why I downloaded the latest CVS.

2.) I could successfully compile the latest CVS for arm-linux except the files ssl.c and cyassl_int.c were missing includes for error.h from ctaocrypt. On adding error.h includes to the files it compiles alright. However on connecting to the server and hangs at the following point:

result = SSL_connect(ssl);

It looks like the two-authentication is failing at some point. Where could the problem be? I would gladly want to help on two-way authentication testing and support.
#
touskaProject Admin

[Avatar]
2008-01-03 22:07:26 UTC
Hi,

1) Not sure why you're getting the compilation problem. Both ssl.c and cyassl_int.c include cyassl_error.h which includes error.h from ctaocrypt. Maybe I need to be more specific about which error.h in case you have a system one lying around in the path?

2) I was able to duplicate the problem you're having on a new openssl server. I only tested the client against cyassl, yassl, and an older version of openssl. Looks like I'm sending an error alert or have misformated the client certificate send. I'll figure out the problem, submit a fix, and let you know when it's done. Thanks for the report.

-Todd
#
touskaProject Admin

[Avatar]
2008-01-03 22:31:20 UTC
Hi,

Looks like I spoke to soon. I was sending an error alert, but correct in this case because my test wasn't set up correctly. I didn't have the right CA certificate to verify the server's cert.

yaSSL/CyaSSL differ from OpenSSL in the sense that we consider an unverified certificate an error, one that ends the session. The fix, either load the correct CA certificate to verify or explicitly tell yaSSL/CyaSSL to turn off verification errors with:

SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);

The latter is OK for testing but I don't recommend it for real use. Find out which CA certificates you need, find them on the web or export them from your browser, and load them with:

SSL_CTX_load_verify_locations();

I hope this helps and is the problem you are encountering. If not, let me know.

-Todd
#
wirelessmatrix

[Avatar]
2008-01-04 07:20:54 UTC
Hi Todd,

Thanks alot for your response.

Here's the code I'm using to initialize the context:

SSL_CTX *initialize_ctx(char * keyfile, char * password)
{
SSL_METHOD *meth;
SSL_CTX *ctx;

// Create our context...
meth = SSLv3_client_method();
ctx = SSL_CTX_new(meth);

// Load our keys and certificates...
if(!(SSL_CTX_use_certificate_file(ctx, CLIENT_CERT, SSL_FILETYPE_PEM)))
{
general_error("Couldn't read client certificate file!");
return NULL;
}

if (!(SSL_CTX_use_PrivateKey_file(ctx, PRIVATE_KEY, SSL_FILETYPE_PEM))){
general_error("Couldn't read private Key file!");
return NULL;
}

// Load the CAs we trust...
if (!(SSL_CTX_load_verify_locations(ctx, SERVER_CA, 0))){
general_error("Couldn't read CA List/Truststore for the Server!");
return NULL;
}

SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);

return ctx;
}

And here's the main code:

// Build our SSL context...
general_error("Initializing SSL context...");
ctx = initialize_ctx(PRIVATE_KEY, PRIVATE_KEY_PASSWORD);
if(ctx == NULL){
general_error("ctx is NULL. Exiting!");
exit(0);
}

// Connect the TCP socket...
general_error("Performing a TCP connection...");
sock = tcp_connect();
if (sock < 0) {
general_error("Error with socket. Exiting!");
exit(0);
}

// Connect the SSL socket...
general_error("Doing an SSL connection...");
ssl = SSL_new(ctx);
SSL_set_fd(ssl, sock);
result = SSL_connect(ssl);
//result = MakeMasterSecret(ssl);
if (result <= 0){
fprintf(stderr, "SSL connect error number %hd. Exiting!\n", result);
exit(0);
}

wolfSSL compatibility is good and I've hardly changed anything from openssl except remove the SSL_CTX_set_default_passwd_cb and SSL_CTX_set_verify_depth methods. The SERVER_CA is self-signed. I'll try and dig deeper to find out where the problem is. It could also be that wolfSSL fails to authenticate itself correctly to the Server.

#
touskaProject Admin

[Avatar]
2008-01-07 21:40:42 UTC
Hi,

Removing SSL_CTX_set_default_password_cb() -- because we don't support it in wolfSSL yet of course -- could be the problem here. Is the private key file you're using encrypted? We could add this support, it's in yaSSL, we've just left it out for the sake of size and simplicity so far.

If that's not the problem, is the server accessible to the public. That is, could I test it? If you're having problems debugging the embedded device you could try testing the authentication on a linux box. You could modify the examples/client test by changing the yasslIP, yasslPort, cliCert, cliKey, and caCert in examples/test.h and give it a go. Ideally the behavior is exactly the same smile

Let me know what you find.

-Todd

Share