New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tools (curl, wget) that are built with wolfssl can not disable cert checking? #3691
Comments
Hi @PolynomialDivision - Thanks for contacting wolfSSL Support. @bagder - Would you consider this an integration issue? |
I don't know. I haven't been able to reproduce this yet so I don't know what wolfSSL returns to curl or why! |
Apart from the -152 error then, which seems to indicate that wolfSSL doesn't like the cert. |
|
Right, but what does it mean? What oid is mismatched and is that a reason for the entire handshake to fail or should it rather be allowed when we skip the certificate verification? |
Looking at the source, the explanation gives some light:
Further debugging on OpenWrt forum: @PolynomialDivision tested my self-signed key generated with OpenSSL tools, and the key works for him also with curl/wolfssl, possibly because it has only ecdsa/256 style algorithms in use.
His own key (shown in the curl issue tracker linked above) fails with curl/wolfssl, as it has RSA/ecdsa/P256 elliptic mixed???
The reason might be in how the OpenWrt tool to create a self-signed cert with wolfssl operates, so any input for that would be nice. (btw, the current default is EC with P-256) C code: https://github.com/openwrt/openwrt/blob/master/package/utils/px5g-wolfssl/px5g-wolfssl.c |
@hnyman Here are again different algorithms:
|
Certificate looks straightforward, but I noticed it is using SHA-1 for the hash. Might be worth making sure its enabled in the wolfSSL ./configure (--enable-sha). It is on by default. |
Hi @hnyman , Looks like the signature algorithm is mis-matched. Notice: FYI: Here are the only two places in the code where the Thanks, |
@hnyman @PolynomialDivision |
Based on all the info provided here, it seems to me that wolfSSL correctly identified a problem in the certificate and that the proper fix is to make sure that the cert does not have that inconsistency. Anyone objects or can we then close this issue? |
Thanks a lot! Can confirm that it fixes the issue. |
@PolynomialDivision closing this issue then. Will follow up on openwrt/openwrt#3813 |
If you try
with a self signed certificate, the check should be skipped and via an tsl connection the website should be downloaded.
Furthermore,
--cacert
does not work.Same for
The text was updated successfully, but these errors were encountered: