[Migrated from SourceForge forums]

elsevers
(2009-08-28 23:35:30 UTC)

Hello,

I am having an issue getting wolfSSL embedded SSL to verify server certificates signed by VeriSign. I get a hash mismatch between the server's certificate and the CA (error code -155: ASN_SIG_CONFIRM_E)

To demonstrate this, I have been able to reproduce the problem by having the example project "client"  connect to https://www.amazon.com. To do this: simply make these two changes to the supplied project:

1) change the value of yasslIP to "http://www.amazon.com" and the value of yasslPort to 443.

2) replace ca-cert.pem (in \certs\) with VeriSign's generation 2, class 3 pem certificate.

Then, run the program, and you will experience the above problem.

(note: I made no other changes to the example client code. All defines and options were left as-is in the 1.0.6 download. I compiled and ran this from Visual Studio 6. I did confirm that I am using the correct CA by connecting to Amazon via curl.exe with this CA)

I also have the same issue with servers whose certificates are signed by VeriSign generation 1, class 3.

Any insight you might have would be greatly appreciated.

Thanks!

Eric

elsevers
(2009-08-29 23:18:47 UTC)

Update:

I apologize, I had an error in my last post: in step 1 - set the value of wolfsslIP to "http://www.amazon.com"

You can download the VeriSign root CA here: https://www.verisign.com/support/roots.html (you have to give them your email address first).

Again, any help would be greatly appreciated.

Thanks,
Eric

touska
(2009-08-31 00:28:53 UTC)

Hi Eric,

Thanks for the report.  I just verified the problem you're having.  I'll have more time tomorrow to look at it.  My first guess is that it might have something to do with the fact that the Verisign CA cert has a 2048 bit key but only a 1024 bit signature value.  I'll let you know what I find.

elsevers
(2009-08-31 15:21:54 UTC)

Great, thank you! Let me know what you find out.

-Eric

touska
(2009-09-01 18:26:50 UTC)

Figured out the problem and it had nothing to do with the key size or signature length.

The amazon cert (A) is signed by Verisign Class 3 Secure Server CA-G2 (B).

You correctly told wolfSSL to trust certs signed by B.  But wolfSSL checks every cert in the chain as the standard recommends.  And cert B is signed by Verisign Class 3 Public Primary Certificate Authority-G2 (C).  Since wolfSSL hadn't been told to also trust C, it's rejecting B because B's signer is unknown.  You'll also need to load cert C as a trusted cert like B.

You'll notice all browsers have both of the certs in their trust chain.

elsevers
(2009-09-02 14:29:16 UTC)

Thanks, Todd. I have gotten things working.

Sorry to have taken up your time on this -- I appreciate that you explained the issue so clearly to me. I am relatively new to SSL.

-Eric

touska
(2009-09-02 15:44:52 UTC)

No problem,  let me know what else you run into.