Important changes to forums and questions
All forums and questions are now archived. To start a new conversation or read the latest updates go to forums.mbed.com.
9 years, 10 months ago.
Is there an example using CA certificate verification for the Wolf CyaSSL library?
I'm trying to implement HTTPS protocol using the HTTPClient-SSL library that Doug Anson developed: http://developer.mbed.org/teams/MBED_DEMOS/code/HTTPClient-SSL/
Currently, I am able to setup the TLS v1.2 encryption and connect to websites with it activated when: CyaSSL_CTX_set_verify() is set to VERIFY_NONE.
Unfortunately, as soon as I set it to: CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); the code fails on receiving the peer certificate. It lists some debug prints indicating it's movement through the function calls, with two specific messages standing out: [...] No CA signer to verify with Failed to verify CA from chain [...] Failed to verify Peer's cert [...]
It says it has processed the three certificates that I'm passing to it, but then it fails on the peer interaction as if the certificates where absent, or something. (PEM format)
What function calls are necessary for initialization of the certificate processing? What parameters should be passed to these function calls? Is there a way to verify the certificates loaded into the CyaSSL object?
I've included a log file of a session attempt with "google.com" as the server to create a session with, as well as the CA root certificate, the intermediate certificate, and the server certificate. /media/uploads/Vanger/googlecert.cer /media/uploads/Vanger/googlecorpcert.cer /media/uploads/Vanger/geotrust_global_ca.cer
Debugging and working through some of the issues I found with my setup: 1) Make sure to delimit certificates with \r\n as well as each line of the certificate. 2) Only the CA certificates are needed, but make sure you have the correct root one. 3) Try to read through and verify all of the #define's that you need under CyaSSL/cyassl/ctaocrypt/settings.h
Currently gotten to the point where all of the root CA certificates load, the client authenticates them with the server (using https://google.com for this), and the handshake process seems to finish successfully. But, the code throws an error: VERSION_ERROR -226 record layer version error. Working through the values of the client when the error occurs, it seems as if it is trying to negotiate an ssl version with the server, but failing to store them for use later when it starts to send the data request.
Checking through my settings, I didn't have SHA512 or SHA384 set, so I went to turn them on. The compiler then started giving "undefined identifier" errors for anything related to the SHA384.
As far as I can tell, the SHA384 code is fully implemented with no need to modify/create implementations.
posted by Elijah P 08 Jan 2015