The certificate Common Name (CN) does not match with the expected CN

秒速五厘米 2021-12-23 19:15 664阅读 0赞

# 原文地址：[https://tls.mbed.org/discussions/bug-report-issues/verifying-peer-x-509-cert][https_tls.mbed.org_discussions_bug-report-issues_verifying-peer-x-509-cert] #

# Verifying peer X.509 Cert #

Jan 20, 2016 21:05  
**Dan**  
![05d166ec91902cd4532b8d0a0aae3c74_s_30_d_mm][]

I am using a modified version of ssl\_client1.c to access yahoo for testing purposes. I assume their certs are installed correctly, but for some reason I keep getting the following error:

"The certificate Common Name (CN) does not match with the expected CN"

My modification to the ssl\_client1.c is as follows:

/*
         * 0.1 Initialize certificates
         */
        mbedtls_printf( "  . Loading the CA root certificate ..." );
        fflush( stdout );
    
        char cwd_buff[PATH_MAX + 1];
        getcwd( cwd_buff, PATH_MAX + 1 );
        strcat(cwd_buff, "\\Debug\\yahoo.crt");
        mbedtls_printf("CA File: %s ", cwd_buff);
    
        ret = mbedtls_x509_crt_parse_file(&cacert, cwd_buff);
    
        if( ret < 0 )
        {
            mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
            goto exit;
        }
    
        mbedtls_printf( " ok (%d skipped)\n", ret );

I don't get any errors loading the cert and I do get the HTTP of Yahoo, its just the cert that seems to be off.

Jan 21, 2016 01:59  
**Dan**  
![05d166ec91902cd4532b8d0a0aae3c74_s_30_d_mm][]

Interesting.....I just tried the ssl\_client2.c program and it works fine. I guess I'm not doing something correct with using the cert. Any ideas why ssl\_client1.c gives the CN error?

Feb 10, 2016 22:07  
**moraine**  
![475613998183680ada592cba2cbb6086_s_30_d_mm][]

I reproduced the same issue using unmodified ssl\_client1 and ssl\_server example programs for the following versions : v2.2.1, v2.2.0 ,v2.1.4 , v1.3.16, but not with v1.2.19

For information, please find below the output of ssl\_client1 when I meet the issue :

. Seeding the random number generator... ok
      . Loading the CA root certificate ... ok (0 skipped)
      . Connecting to tcp/localhost/4433... ok
      . Setting up the SSL/TLS structure... ok
      . Performing the SSL/TLS handshake.../home/bmoraine/Desktop/mbed/mbedtls-2.2.0/library/ssl_tls.c:4400: x509_verify_cert() returned -9984 (-0x2700)
     ok
      . Verifying peer X.509 certificate... failed
      ! The certificate Common Name (CN) does not match with the expected CN
    
      > Write to server: 18 bytes written
    
    GET / HTTP/1.0
    
      < Read from server: 150 bytes read
    
    HTTP/1.0 200 OK
    Content-Type: text/html
    
    <h2>mbed TLS Test Server</h2>
    <p>Successful connection using: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384</p>
    /home/bmoraine/Desktop/mbed/mbedtls-2.2.0/library/ssl_tls.c:6509: mbedtls_ssl_read_record() returned -30848 (-0x7880)
    Last error was: -30848 - SSL - The peer notified us that the connection is going to be closed

Regarding ssl\_server output no error is displayed :

. Loading the server cert. and key... ok
      . Bind on https://localhost:4433/ ... ok
      . Seeding the random number generator... ok
      . Setting up the SSL data.... ok
      . Waiting for a remote connection ... ok
      . Performing the SSL/TLS handshake... ok
      < Read from client: 18 bytes read
    
    GET / HTTP/1.0
    
      > Write to client: 150 bytes written
    
    HTTP/1.0 200 OK
    Content-Type: text/html
    
    <h2>mbed TLS Test Server</h2>
    <p>Successful connection using: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384</p>
    
      . Closing the connection... ok
      . Waiting for a remote connection ...

Is there a regression in ssl\_client1 example or in the library itself?

Feb 12, 2016 11:49  
**moraine**  
![475613998183680ada592cba2cbb6086_s_30_d_mm][]

It seems I fix the issue by replacing hostname parameter in the call of mbedtls\_ssl\_set\_hostname() on line 180

I replace :

if( ( ret = mbedtls_ssl_set_hostname( &ssl, "mbed TLS Server 1" ) ) != 0 )
       {
            mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
            goto exit;
        }

if( ( ret = mbedtls_ssl_set_hostname( &pms->ssl, SERVER_NAME ) ) != 0 )
        {
            mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
            goto exit;
        }

For information, SERVER\_NAME is defined on line 63

#define SERVER_NAME "localhost"

and is used previously used by mbedtls\_net\_connect() on line 141

按上文中所述将if( ( ret = mbedtls\_ssl\_set\_hostname( &pms->ssl, localhost) ) != 0 ) 即可

[https_tls.mbed.org_discussions_bug-report-issues_verifying-peer-x-509-cert]: https://tls.mbed.org/discussions/bug-report-issues/verifying-peer-x-509-cert
[05d166ec91902cd4532b8d0a0aae3c74_s_30_d_mm]: https://www.gravatar.com/avatar/05d166ec91902cd4532b8d0a0aae3c74?s=30&d=mm
[475613998183680ada592cba2cbb6086_s_30_d_mm]: https://www.gravatar.com/avatar/475613998183680ada592cba2cbb6086?s=30&d=mm