1 (edited by fangfanglalala 2014-07-07 03:53:13)

Topic: Question:error -188 No CA signer to verify with ASN_NO_SIGNER_E

Hi,everyone!
We have transplanted the wolfssl embedded SSL module to our platform. And our platform is a client ,and when not check the server's cert, it's ok for the handshake.
Then we add to check the server's cert as below:
                tls_init_config_t cfg = {
                   .flags = TLS_CHECK_SERVER_CERT,
                   .tls.client.client_cert = NULL,
                   .tls.client.client_cert_size = 0,
                   .tls.client.ca_cert = googlerootca_cert,
                   .tls.client.ca_cert_size = sizeof(googlerootca_cert)-1,
         };
We use google's https server for testing. Goolerootca_cert is the root ca of google, and we download from the url:https://www.google.com.
wolfSSL_CTX_load_verify_buffer () will be called . Goolerootca_cert will be loaded to check the server's ca .
After the client received the server's certificate,client will verify server's certificate.But there is a error in verifying.  The error is ASN_NO_SIGNER_E. Some error logs are as below.
         No CA signer to verify with
         Failed to verify CA from chain
         WOLFSSL Leaving DoHandShakeMsgType(), return -188
         WOLFSSL Leaving DoHandShakeMsg(), return -188
Why no ca signer ?
When decoding the extension part of the cert, there are some errors as below. 
                  wolfSSL Entering DecodeCertExtensions
                  wolfSSL Entering DecodeSubjKeyId
                  found optional critical flag, moving past
                   wolfSSL Entering DecodeBasicCaConstraint
                  Extension type not handled, skipping
                   wolfSSL Entering DecodeCrlDist
                  found optional critical flag, moving past
                  Extension type not handled, skipping
                  Extension type not handled, skipping
                  Extension type not handled, skipping
                   wolfSSL Entering DecodeAltNames
                  Not DNS type
                   wolfSSL Entering DecodeAuthKeyId
                  fail: wanted OPTIONAL item 0, not available
Who can help me ? And the code:

static int _tls_session_init_client(tls_session_t *s, int sockfd,
                    const tls_init_config_t *cfg)
{
    int ret;
    SSL_METHOD *method;

#if defined(WOLFSSL_DTLS)
    method = DTLSv1_client_method();
    tls_d("DTLSv1!");
#elif !defined(NO_TLS)
    method = SSLv23_client_method();
    tls_d("SSLv23!");
#else
    method = SSLv3_client_method();
        tls_d("SSLv3!");
#endif

    s->ctx = SSL_CTX_new(method);

    if (cfg->flags & TLS_CHECK_SERVER_CERT) {
        ASSERT(cfg->tls.client.ca_cert_size != 0);
        /* Load server certificates  from buffer */
        tls_d("Loading CA certificate file. Size: %d",
              cfg->tls.client.ca_cert_size);
        ret = wolfSSL_CTX_load_verify_buffer(s->ctx,
                            cfg->tls.client.ca_cert,
                            cfg->tls.client.
                            ca_cert_size,
                            SSL_FILETYPE_PEM);
        if (ret != SSL_SUCCESS) {
            tls_e("Unable to load CA certificate");
            SSL_CTX_free(s->ctx);
            return -WM_FAIL;
        }
    } else {
        tls_d("Disabling certificate check");
        SSL_CTX_set_verify(s->ctx, SSL_VERIFY_NONE, 0);
    }

    
    s->ssl = SSL_new(s->ctx);
    SSL_set_fd(s->ssl, sockfd);

#ifdef NON_BLOCKING
//no define NON_BLOCKING
    tcp_set_nonblocking(&sockfd);
    NonBlockingSSL_Connect(s->ssl);
#else
#ifndef WOLFSSL_CALLBACKS
//no define WOLFSSL_CALLBACKS
    tls_d("Starting SSL connect");
    /* see note at top of README */
    if (SSL_connect(s->ssl) != SSL_SUCCESS) {
#ifdef CONFIG_ENABLE_ERROR_LOGS
        int err = SSL_get_error(s->ssl, 0);
        char buffer[80];
        tls_e("err = %d, %s", err, ERR_error_string(err, buffer));
        /* if you're getting an error here  */
        tls_e("SSL_connect failed");
#endif /* CONFIG_ENABLE_ERROR_LOGS */
        tls_d("did SSL_connect");
        SSL_free(s->ssl);
        tls_d("did SSL_free");
        SSL_CTX_free(s->ctx);
        tls_d("did SSL_CTX_free");
        return -WM_FAIL;
    }
#else
    timeout.tv_sec = 2;
    timeout.tv_usec = 0;
    NonBlockingSSL_Connect(s->ssl);    /* will keep retrying on timeout */
#endif
#endif
    showPeer(s->ssl);

    s->session_setup_done = true;

    tls_d("SSL Connect success");

#ifdef CONFIG_WPA2_ENTP
    if (cfg->flags & TLS_WPA2_ENTP)

Share

Re: Question:error -188 No CA signer to verify with ASN_NO_SIGNER_E

Hi,

Can you verify that you have the correct CA certificate loaded for Google?  I have attached the one which works for me.

Thanks,
Chris

Post's attachments

Equifax_Secure_Certificate_Authority.pem 1.13 kb, 8 downloads since 2014-08-05 

You don't have the permssions to download the attachments of this post.