• Registered: 2017-02-18
  • Posts: 2

Topic: Error -188 while connecting to accounts.google.com

Hello to everybody,

Following the instructions of a similar post (https://www.wolfssl.com/forums/topic218 … erver.html), I am trying to connect to accounts.google.com using a static address (216.58.205.205:443).
I 've downloaded their certificates using Mozilla :
On Lock sign -> Security -> View certificate.
I downloaded all three :  GeoTrust Global CA -> Goggle internet Authority G2 -> *.google.com using the export function as X509 Certificate (PEM) with crt extension. All three certificates verify with no errors when loaded with :
lReturned = wolfSSL_CTX_load_verify_locations( xWolfSSL_ClientContext, "GeoTrustGlobalCA.crt", 0 );

But all three fail on connect state with -188 ASN_NO_SIGNER_E  if I set :
wolfSSL_CTX_set_verify(xWolfSSL_ClientContext,  SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);

If I set :
wolfSSL_CTX_set_verify(xWolfSSL_ClientContext,  SSL_VERIFY_NONE, 0);

The connection is success.

I get the same response on Visual studio client as well as using my ported code on my STM32F446 platform so I suspect that I am missing something regarding the CA files.

Any suggestions ??

Here is my code


lReturned = wolfSSL_CTX_load_verify_locations( xWolfSSL_ClientContext, "GeoTrustGlobalCA.crt", 0 );
configASSERT( lReturned == SSL_SUCCESS );

wolfSSL_CTX_set_verify(xWolfSSL_ClientContext,  SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);

/* Create the socket. */
xClientSocket = socket( AF_INET, SOCK_STREAM, 0 );
configASSERT( xClientSocket != INVALID_SOCKET );

/* Connect to the secure server. */
if( connect( xClientSocket, ( SOCKADDR * ) &xConnection, sizeof( xConnection ) ) == 0 )
{
    /* The connect was successful.  Create a wolfSSL object to associate with this connection. */
            xWolfSSL_Object = wolfSSL_new( xWolfSSL_ClientContext );

            if( xWolfSSL_Object != NULL )
            {
                /* Associate the created wolfSSL object with the connected
                socket. */
                lReturned = wolfSSL_set_fd( xWolfSSL_Object, xClientSocket );
                configASSERT( lReturned == SSL_SUCCESS );

                /* The count is used to differentiate between messages sent to
                the server, and to break out of the do while loop below. */
                ulCount = 0UL;
                lReturned = wolfSSL_connect(xWolfSSL_Object);
                               /// ................ Do something usefull here

                          }
}

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: Error -188 while connecting to accounts.google.com

Hi abrous3d,

The cert chain for accounts.google.com is:

 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=accounts.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2

 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

The Equifax Secure Cert Authority is the root CA you need to verify with. That cert is located here:
https://knowledge.geotrust.com/support/ … ;id=SO5761

I have successfully tested this with our example client:

kalebs-MacBook-Pro:clean-wolfssl khimes$ ./examples/client/client -h 216.58.205.205 -p 443 -A certs/Equifax_Secure_Certificate_Authority.pem -g
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL connect ok, sending GET...
Server response: HTTP/1.0 404 Not Found
Content-Type: text/html; charset=UTF-8
Content-Length:
 1571
Date: Mon, 20 Feb 2017 17:05:32 GMT
Alt-Svc: quic=":443"; ma=2592000; v
="35,34"

<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=
viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <tit
le>Error 404 (Not Found)!!1</title>
  <style>
    *{margin:0;padding:0}html,cod
e{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}
body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > 
body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repea
t;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-
decoration:none}a img{border:0}@media screen and (max-width:772px){body{backgro
und:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//ww
w.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-re
peat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{back
ground:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x
54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/imag
es/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen 
and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/im
ages/branding/googlelogo/2x/googlelogo_color_1
50x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-
block;height:54px;width:150px}
  </style>
  <a href=//www.google.com/><span id=
logo aria-label=Google></span></a>
  <p><b>404.</b> <ins>That’s an error.</in
s>
  <p>The requested URL <code>/index.html</code> was not found on this server
.  <ins>That’s all we know.</ins>

Best Regards,

Kaleb

Kaleb J. Himes's Website

Share

  • Registered: 2017-02-18
  • Posts: 2

Re: Error -188 while connecting to accounts.google.com

Hello Kaleb,

Indeed that was the problem. Using the Equifax.cer I am able to verify successfully with accounts.google.
My question is, how can I get the CA root from a given server ? I used Mozilla to examine the certificate tree of accounts.google.
In the attachment, you can see that GeoTrust Global CA is on top, so I assumed that this is the root CA I have to verify with, but it was not. Am I missing something ?

Best regards,

abrous3d

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: Error -188 while connecting to accounts.google.com

Hi abrous3d,

I don't think you are missing anything obvious, browsing to accounts.google.com in a browser takes you to where the browser decides to re-direct you. To check a specific domain directly I use openssl's s_client from the terminal so I know I'm hitting the domain i'm actually targeting. Here is the command I used:

openssl s_client -showcerts -connect accounts.google.com:443 </dev/null

The dump I cleaned up before posting in my initial response but I only look at the subject and issuer information leading each certificate body. You know that the final issuer is the signing authority and in this case it happened to be:

 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

Then I just googled "Equifax Secure Certificate Authority Download" which brought me to the correct site for downloading the CA.

Hope this helps.


Warm Regards,

Kaleb

Kaleb J. Himes's Website

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: Error -188 while connecting to accounts.google.com

Hi abrous3d,

I don't think you are missing anything obvious, browsing to accounts.google.com in a browser takes you to where the browser decides to re-direct you. To check a specific domain directly I use openssl's s_client from the terminal so I know I'm hitting the domain i'm actually targeting. Here is the command I used:

openssl s_client -showcerts -connect accounts.google.com:443 </dev/null

The dump I cleaned up before posting in my initial response but I only look at the subject and issuer information leading each certificate body. You know that the final issuer is the signing authority and in this case it happened to be:

 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

Then I just googled "Equifax Secure Certificate Authority Download" which brought me to the correct site for downloading the CA. (I do not use the one returned by openssl s_client because if someone were spoofing a domain the domain might return a bad cert with the same issuer credentials. I find it good practice to download directly from the source once you determine which cert it SHOULD be.)

Hope this helps.


Warm Regards,

Kaleb

Kaleb J. Himes's Website

Share