-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
0x2700 - X509 - Certificate verification failed, e.g. CRL, CA or signature check failed #139
Comments
This fails because you don't provide use the 'top', but the one below. Try this one instead.
|
thanks, it's solved. |
@pjbakker whats 'top' ? Didn't understand what you meant. |
@FarhanAhmad A certificate chain runs all the way from a child certificate to the 'top' (The CA certificate). That said. I believe the behaviour of verification has been modified in more recent version, so you might now be able to provide a 'middle' certificate as trusted instead. Maybe @sbutcher-arm can comment on that? |
@pjbakker I am facing the similar error('-9984 - X509 - Certificate verification failed, e.g. CRL, CA or signature check failed') at 'mbedtls_ssl_handshake' call.
server partial code:``
..............
`` Client side code:``
`` Please let me if i am doing anything wrong at 'mbedtls_ssl_conf_ca_chain' , 'mbedtls_ssl_conf_own_cert' calls order or if any. And also which certificates(ca, client, server certs) are mainly required at both server and client side code. Thanks in Advance. |
My issue is resolved. I am facing it because of certificates I am using are invalid |
Correct and simplify block-based cipher modes
@PravallikaKG yes, because you haven't self-signed them. |
How you slove it,I meet something like it:ssl_tls.c:4643: |1| x509_verify_cert() returned -9984 (-0x2700) |
@Carmeloning certificate verification failure can happen for many reasons. For example, you haven't set the correct trusted root certificate. |
I had similar error when i was generating Root CA certificate from 1024-bit RSA key. |
@martinius96 |
@RonEld Thanks a lot.. finally i found it in codes.. |
@Carmeloning证书验证失败可能由于多种原因而发生。例如,您尚未设置正确的受信任根证书。证书验证失败时返回 ssl_cli.c:3386: |2| client state: 0 ssl_tls.c:2471: |2| => flush output ssl_tls.c:2483: |2| <= flush output ssl_cli.c:3386: |2| client state: 1 ssl_tls.c:2471: |2| => flush output ssl_tls.c:2483: |2| <= flush output ssl_cli.c:770: |2| => write client hello ssl_tls.c:2764: |2| => write record ssl_tls.c:2471: |2| => flush output ssl_tls.c:2489: |2| message length: 189, out_left: 189 ssl_tls.c:2496: |2| ssl->f_send() returned 189 (-0xffffff43) ssl_tls.c:2523: |2| <= flush output ssl_tls.c:2922: |2| <= write record ssl_cli.c:1085: |2| <= write client hello ssl_cli.c:3386: |2| client state: 2 ssl_tls.c:2471: |2| => flush output ssl_tls.c:2483: |2| <= flush output ssl_cli.c:1478: |2| => parse server hello ssl_tls.c:3809: |2| => read record ssl_tls.c:2252: |2| => fetch input ssl_tls.c:2412: |2| in_left: 0, nb_want: 5 ssl_tls.c:2436: |2| in_left: 0, nb_want: 5 ssl_tls.c:2438: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb) ssl_tls.c:2458: |2| <= fetch input ssl_tls.c:2252: |2| => fetch input ssl_tls.c:2412: |2| in_left: 5, nb_want: 66 ssl_tls.c:2436: |2| in_left: 5, nb_want: 66 ssl_tls.c:2438: |2| ssl->f_recv(_timeout)() returned 61 (-0xffffffc3) ssl_tls.c:2458: |2| <= fetch input ssl_tls.c:3846: |2| <= read record ssl_cli.c:1760: |2| server hello, total extension length: 17 ssl_cli.c:1949: |2| <= parse server hello ssl_cli.c:3386: |2| client state: 3 ssl_tls.c:2471: |2| => flush output ssl_tls.c:2483: |2| <= flush output ssl_tls.c:4376: |2| => parse certificate ssl_tls.c:3809: |2| => read record ssl_tls.c:2252: |2| => fetch input ssl_tls.c:2412: |2| in_left: 0, nb_want: 5 ssl_tls.c:2436: |2| in_left: 0, nb_want: 5 ssl_tls.c:2438: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb) ssl_tls.c:2458: |2| <= fetch input ssl_tls.c:2252: |2| => fetch input ssl_tls.c:2412: |2| in_left: 5, nb_want: 877 ssl_tls.c:2436: |2| in_left: 5, nb_want: 877 ssl_tls.c:2438: |2| ssl->f_recv(_timeout)() returned 872 (-0xfffffc98) ssl_tls.c:2458: |2| <= fetch input ssl_tls.c:3846: |2| <= read record Verifying certificate at depth 0: cert. version : 1 serial number : 8D:9E:62:C5:CC:7A:BA:B6 issuer name : C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myCA subject name : C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myServer issued on : 2019-01-14 02:25:20 expires on : 2020-01-14 02:25:20 signed using : RSA with SHA1 RSA key size : 2048 bits ssl_tls.c:4643: |1| x509_verify_cert() returned -9984 (-0x2700) ssl_tls.c:4180: |2| => send alert message ssl_tls.c:2764: |2| => write record ssl_tls.c:2471: |2| => flush output ssl_tls.c:2489: |2| message length: 7, out_left: 7 ssl_tls.c:2496: |2| ssl->f_send() returned 7 (-0xfffffff9) ssl_tls.c:2523: |2| <= flush output ssl_tls.c:2922: |2| <= write record ssl_tls.c:4193: |2| <= send alert message ssl_tls.c:4740: |2| <= parse certificate ssl_tls.c:6727: |2| <= handshake mbedtls_ssl_handshake() returned -0x2700 FAIL ssl_tls.c:7560: |2| <= free |
@Carmeloning Have you checked the verification flags? They are not shown in this log. Without too much information in this log, I can guess two possible reasons for your failure:
|
Make DES self-test faster, and fix a typo
…lpers Use transcript hash helper functions in server-side postprocessing after outgoing Finished message
ssl client connect error:
certdata.txt
result:
The text was updated successfully, but these errors were encountered: