原文地址：https://tls.mbed.org/discussions/bug-report-issues/verifying-peer-x-509-cert

Verifying peer X.509 Cert

 

Jan 20, 2016 21:05
Dan

I am using a modified version of ssl_client1.c to access yahoo for testing purposes. I assume their certs are installed correctly, but for some reason I keep getting the following error:

"The certificate Common Name (CN) does not match with the expected CN"

My modification to the ssl_client1.c is as follows:

    /*
     * 0.1 Initialize certificates
     */
    mbedtls_printf( "  . Loading the CA root certificate ..." );
    fflush( stdout );

    char cwd_buff[PATH_MAX + 1];
    getcwd( cwd_buff, PATH_MAX + 1 );
    strcat(cwd_buff, "\\Debug\\yahoo.crt");
    mbedtls_printf("CA File: %s ", cwd_buff);

    ret = mbedtls_x509_crt_parse_file(&cacert, cwd_buff);

    if( ret < 0 )
    {
        mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
        goto exit;
    }

    mbedtls_printf( " ok (%d skipped)\n", ret );

I don't get any errors loading the cert and I do get the HTTP of Yahoo, its just the cert that seems to be off.

 

Jan 21, 2016 01:59
Dan

Interesting.....I just tried the ssl_client2.c program and it works fine. I guess I'm not doing something correct with using the cert. Any ideas why ssl_client1.c gives the CN error?

 

Feb 10, 2016 22:07
moraine

I reproduced the same issue using unmodified ssl_client1 and ssl_server example programs for the following versions : v2.2.1, v2.2.0 ,v2.1.4 , v1.3.16, but not with v1.2.19

For information, please find below the output of ssl_client1 when I meet the issue :

  . Seeding the random number generator... ok
  . Loading the CA root certificate ... ok (0 skipped)
  . Connecting to tcp/localhost/4433... ok
  . Setting up the SSL/TLS structure... ok
  . Performing the SSL/TLS handshake.../home/bmoraine/Desktop/mbed/mbedtls-2.2.0/library/ssl_tls.c:4400: x509_verify_cert() returned -9984 (-0x2700)
 ok
  . Verifying peer X.509 certificate... failed
  ! The certificate Common Name (CN) does not match with the expected CN

  > Write to server: 18 bytes written

GET / HTTP/1.0

  < Read from server: 150 bytes read

HTTP/1.0 200 OK
Content-Type: text/html

<h2>mbed TLS Test Server</h2>
<p>Successful connection using: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384</p>
/home/bmoraine/Desktop/mbed/mbedtls-2.2.0/library/ssl_tls.c:6509: mbedtls_ssl_read_record() returned -30848 (-0x7880)
Last error was: -30848 - SSL - The peer notified us that the connection is going to be closed

Regarding ssl_server output no error is displayed :

  . Loading the server cert. and key... ok
  . Bind on https://localhost:4433/ ... ok
  . Seeding the random number generator... ok
  . Setting up the SSL data.... ok
  . Waiting for a remote connection ... ok
  . Performing the SSL/TLS handshake... ok
  < Read from client: 18 bytes read

GET / HTTP/1.0

  > Write to client: 150 bytes written

HTTP/1.0 200 OK
Content-Type: text/html

<h2>mbed TLS Test Server</h2>
<p>Successful connection using: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384</p>

  . Closing the connection... ok
  . Waiting for a remote connection ...

Is there a regression in ssl_client1 example or in the library itself?

 

Feb 12, 2016 11:49
moraine

It seems I fix the issue by replacing hostname parameter in the call of mbedtls_ssl_set_hostname() on line 180

I replace :

  if( ( ret = mbedtls_ssl_set_hostname( &ssl, "mbed TLS Server 1" ) ) != 0 )
   {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
        goto exit;
    }

by

  if( ( ret = mbedtls_ssl_set_hostname( &pms->ssl, SERVER_NAME ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
        goto exit;
    }

For information, SERVER_NAME is defined on line 63

#define SERVER_NAME "localhost"

and is used previously used by mbedtls_net_connect() on line 141