The certificate Common Name (CN) does not match with the expected CN
作者:互联网
原文地址:https://tls.mbed.org/discussions/bug-report-issues/verifying-peer-x-509-cert
Verifying peer X.509 Cert
Jan 20, 2016 21:05
Dan
I am using a modified version of ssl_client1.c to access yahoo for testing purposes. I assume their certs are installed correctly, but for some reason I keep getting the following error:
"The certificate Common Name (CN) does not match with the expected CN"
My modification to the ssl_client1.c is as follows:
/*
* 0.1 Initialize certificates
*/
mbedtls_printf( " . Loading the CA root certificate ..." );
fflush( stdout );
char cwd_buff[PATH_MAX + 1];
getcwd( cwd_buff, PATH_MAX + 1 );
strcat(cwd_buff, "\\Debug\\yahoo.crt");
mbedtls_printf("CA File: %s ", cwd_buff);
ret = mbedtls_x509_crt_parse_file(&cacert, cwd_buff);
if( ret < 0 )
{
mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
goto exit;
}
mbedtls_printf( " ok (%d skipped)\n", ret );
I don't get any errors loading the cert and I do get the HTTP of Yahoo, its just the cert that seems to be off.
Jan 21, 2016 01:59
Dan
Interesting.....I just tried the ssl_client2.c program and it works fine. I guess I'm not doing something correct with using the cert. Any ideas why ssl_client1.c gives the CN error?
Feb 10, 2016 22:07
moraine
I reproduced the same issue using unmodified ssl_client1 and ssl_server example programs for the following versions : v2.2.1, v2.2.0 ,v2.1.4 , v1.3.16, but not with v1.2.19
For information, please find below the output of ssl_client1 when I meet the issue :
. Seeding the random number generator... ok
. Loading the CA root certificate ... ok (0 skipped)
. Connecting to tcp/localhost/4433... ok
. Setting up the SSL/TLS structure... ok
. Performing the SSL/TLS handshake.../home/bmoraine/Desktop/mbed/mbedtls-2.2.0/library/ssl_tls.c:4400: x509_verify_cert() returned -9984 (-0x2700)
ok
. Verifying peer X.509 certificate... failed
! The certificate Common Name (CN) does not match with the expected CN
> Write to server: 18 bytes written
GET / HTTP/1.0
< Read from server: 150 bytes read
HTTP/1.0 200 OK
Content-Type: text/html
<h2>mbed TLS Test Server</h2>
<p>Successful connection using: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384</p>
/home/bmoraine/Desktop/mbed/mbedtls-2.2.0/library/ssl_tls.c:6509: mbedtls_ssl_read_record() returned -30848 (-0x7880)
Last error was: -30848 - SSL - The peer notified us that the connection is going to be closed
Regarding ssl_server output no error is displayed :
. Loading the server cert. and key... ok
. Bind on https://localhost:4433/ ... ok
. Seeding the random number generator... ok
. Setting up the SSL data.... ok
. Waiting for a remote connection ... ok
. Performing the SSL/TLS handshake... ok
< Read from client: 18 bytes read
GET / HTTP/1.0
> Write to client: 150 bytes written
HTTP/1.0 200 OK
Content-Type: text/html
<h2>mbed TLS Test Server</h2>
<p>Successful connection using: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384</p>
. Closing the connection... ok
. Waiting for a remote connection ...
Is there a regression in ssl_client1 example or in the library itself?
Feb 12, 2016 11:49
moraine
It seems I fix the issue by replacing hostname parameter in the call of mbedtls_ssl_set_hostname() on line 180
I replace :
if( ( ret = mbedtls_ssl_set_hostname( &ssl, "mbed TLS Server 1" ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
goto exit;
}
by
if( ( ret = mbedtls_ssl_set_hostname( &pms->ssl, SERVER_NAME ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
goto exit;
}
For information, SERVER_NAME is defined on line 63
#define SERVER_NAME "localhost"
and is used previously used by mbedtls_net_connect() on line 141
标签:TLS,...,ok,CN,certificate,ret,ssl,mbedtls,does 来源: https://blog.csdn.net/nicholas_duan/article/details/93727630