The certificate Common Name (CN) does not match with the expected CN
原文地址:https://tls.mbed.org/discussions/bug-report-issues/verifying-peer-x-509-cert
Verifying peer X.509 Cert
Jan 20, 2016 21:05
Dan
I am using a modified version of ssl_client1.c to access yahoo for testing purposes. I assume their certs are installed correctly, but for some reason I keep getting the following error:
“The certificate Common Name (CN) does not match with the expected CN”
My modification to the ssl_client1.c is as follows:
/** 0.1 Initialize certificates*/mbedtls_printf( " . Loading the CA root certificate ..." );fflush( stdout );char cwd_buff[PATH_MAX + 1];getcwd( cwd_buff, PATH_MAX + 1 );strcat(cwd_buff, "\\Debug\\yahoo.crt");mbedtls_printf("CA File: %s ", cwd_buff);ret = mbedtls_x509_crt_parse_file(&cacert, cwd_buff);if( ret < 0 ){mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );goto exit;}mbedtls_printf( " ok (%d skipped)\n", ret );
I don’t get any errors loading the cert and I do get the HTTP of Yahoo, its just the cert that seems to be off.
Jan 21, 2016 01:59
Dan
Interesting…..I just tried the ssl_client2.c program and it works fine. I guess I’m not doing something correct with using the cert. Any ideas why ssl_client1.c gives the CN error?
Feb 10, 2016 22:07
moraine
I reproduced the same issue using unmodified ssl_client1 and ssl_server example programs for the following versions : v2.2.1, v2.2.0 ,v2.1.4 , v1.3.16, but not with v1.2.19
For information, please find below the output of ssl_client1 when I meet the issue :
. Seeding the random number generator... ok. Loading the CA root certificate ... ok (0 skipped). Connecting to tcp/localhost/4433... ok. Setting up the SSL/TLS structure... ok. Performing the SSL/TLS handshake.../home/bmoraine/Desktop/mbed/mbedtls-2.2.0/library/ssl_tls.c:4400: x509_verify_cert() returned -9984 (-0x2700)ok. Verifying peer X.509 certificate... failed! The certificate Common Name (CN) does not match with the expected CN> Write to server: 18 bytes writtenGET / HTTP/1.0< Read from server: 150 bytes readHTTP/1.0 200 OKContent-Type: text/html<h2>mbed TLS Test Server</h2><p>Successful connection using: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384</p>/home/bmoraine/Desktop/mbed/mbedtls-2.2.0/library/ssl_tls.c:6509: mbedtls_ssl_read_record() returned -30848 (-0x7880)Last error was: -30848 - SSL - The peer notified us that the connection is going to be closed
Regarding ssl_server output no error is displayed :
. Loading the server cert. and key... ok. Bind on https://localhost:4433/ ... ok. Seeding the random number generator... ok. Setting up the SSL data.... ok. Waiting for a remote connection ... ok. Performing the SSL/TLS handshake... ok< Read from client: 18 bytes readGET / HTTP/1.0> Write to client: 150 bytes writtenHTTP/1.0 200 OKContent-Type: text/html<h2>mbed TLS Test Server</h2><p>Successful connection using: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384</p>. Closing the connection... ok. Waiting for a remote connection ...
Is there a regression in ssl_client1 example or in the library itself?
Feb 12, 2016 11:49
moraine
It seems I fix the issue by replacing hostname parameter in the call of mbedtls_ssl_set_hostname() on line 180
I replace :
if( ( ret = mbedtls_ssl_set_hostname( &ssl, "mbed TLS Server 1" ) ) != 0 ){mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );goto exit;}
by
if( ( ret = mbedtls_ssl_set_hostname( &pms->ssl, SERVER_NAME ) ) != 0 ){mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );goto exit;}
For information, SERVER_NAME is defined on line 63
#define SERVER_NAME "localhost"
and is used previously used by mbedtls_net_connect() on line 141
按上文中所述将if( ( ret = mbedtls_ssl_set_hostname( &pms->ssl, localhost) ) != 0 ) 即可
喜欢ヅ旅行
向右看齐
今天药忘吃喽~
还没有评论,来说两句吧...