Introduce WOLFSSL_DEBUG_CERTS Certificate Debug Messages

[gojimmypi]

Description

Adds a new troubleshooting capability to view only interesting certificate-related messages:

WOLFSSL_API int WOLFSSL_MSG_CERT(const char* msg);
WOLFSSL_API int WOLFSSL_MSG_CERT_EX(const char* fmt, ...);
WOLFSSL_API int wolfSSL_CertDebugging_ON(void);
WOLFSSL_API int wolfSSL_CertDebugging_OFF(void);
WOLFSSL_API int WOLFSSL_IS_CERT_DEBUG_ON(void);

Improves debugging messages: modifies WOLFSSL_MSG_EX and WOLFSSL_MSG_CERT_EX on no-variadic macro compiler such as Watcom.

Also adds WOLFSSL_DEBUG_LINE_ENDING to suppress LF characters on message printed for systems that supply their own line feeds during messaging, such as the Espressif ESP_LOG.

Turning on WOLFSSL_DEBUG always enables WOLFSSL_DEBUG_CERTS.

However WOLFSSL_DEBUG_CERTS can be used without WOLFSSL_DEBUG.

Macros of interest related to this PR:

#define DEBUG_WOLFSSL
#define WOLFSSL_DEBUG_CERTS
#define NO_WOLFSSL_DEBUG_CERTS
#define WOLFSSL_DEBUG_ERRORS_ONLY

/* Variadic macros are typically not manually defined, but can be used during testing: */
#define WOLF_NO_VARIADIC_MACROS

Why?

Turning on full debugging is often overly verbose. On embedded devices the delay in printing debug messages can have an adverse effect on timing-critical code, such as certificate validation during TLS connections.

Inspiration

See wolfSSL forum questions related to certificates. For me, recently:

• Simple SSL connection providing root certs
• Root certificates included in wolfSSL

Usage

To use, add to user_settings.h:

#define WOLFSSL_DEBUG_CERTS

or from command-line:

make clean && ./configure --enable-all CFLAGS="-DWOLFSSL_DEBUG_CERTS" && make

Launch a server:

./examples/server/server -v 4 -l TLS_AES_128_GCM_SHA256 -p 12345

Launch a client:

./examples/client/client -v 4 -h localhost -p 12345

Sample Linux Output:

Server:

$ ./examples/server/server -v 4 -l TLS_AES_128_GCM_SHA256 -p 12345
        Parsing new CA
        -  issuer:  '/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/[email protected]'
        -  subject: '/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/[email protected]'
        Parsing new CA
        -  issuer:  '/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/[email protected]'
        -  subject: '/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/[email protected]'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/[email protected]'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL intermediate CA 1/[email protected]'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/[email protected]'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/[email protected]'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/[email protected]'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL intermediate CA 2/[email protected]'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/[email protected]'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/[email protected]'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/[email protected]'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL REVOKED intermediate CA/[email protected]'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/[email protected]'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/[email protected]'
Early Data was not sent.
Alternate cert chain used
 issuer : /C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/[email protected]
 subject: /C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/[email protected]
 altname = example.com
 altname = 127.0.0.1
 ser:ec
SSL version is TLSv1.3
SSL cipher suite is TLS13-AES128-GCM-SHA256
SSL signature algorithm is SHA256
SSL curve name is SECP256R1
Server Random : 057164AF833860C9C1FC2CCE25F7B9F3F28B748B1B04F2BED31A1EA09E323E8E
Client message: hello wolfssl!

Client:

$ ./examples/client/client -v 4 -h localhost -p 12345
        Parsing new CA
        -  issuer:  '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/[email protected]'
        -  subject: '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/[email protected]'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/[email protected]'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=Elliptic/OU=ECC/CN=www.wolfssl.com/[email protected]'
Alternate cert chain used
 issuer : /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/[email protected]
 subject: /C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/CN=www.wolfssl.com/[email protected]
 altname = example.com
 altname = 127.0.0.1
 serial number:01
SSL version is TLSv1.3
SSL cipher suite is TLS13-AES128-GCM-SHA256
SSL signature algorithm is SHA256
SSL curve name is SECP256R1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjQxMjE4
MjEyNTMwWhcNMjcwOTE0MjEyNTMwWjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO
BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn
f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X
GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM
QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq
0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ
6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCAUUwggFBMB0GA1UdDgQW
BBSzETLJkpiE4sn40DtuA0LKHw6OPDCB1AYDVR0jBIHMMIHJgBQnjmcRdMMmHT/t
M2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
bmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQL
DApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFGubcMbxo5RlGaEIWO+njSt6g8HaMAwG
A1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCK8U7o
n1my2ROs/ELEgTSfazlXnOmSXUGsBTWxJpNNStr4UYLSjX/TXG4pgI2bAhArZPXR
MQb6hSuPYzIUdno5FfNO3f3iLJAV0W9zh+7myOutQNXolB+mfiZbh7oPBlpNVXqq
xAk0i/flzNa3bEZtoeZmZkxL5RIxN1RJZKVm6+DGoUn4TcPTVaQF0qz74chpMEuY
/XIaq5+G6w29fKY9gdkBp4p5qzzO5bbDG+99Xjd7N3yRiVkRIRF8BYDhqNb5Ndob
hgZaMmdsqSvgMXuJUzdCrzSkU9J8kVBjOo5KH6OQTnxBWR3re6IUh7p2NqR3RjTy
VVDwJJ+Dg9qmqjzI
-----END CERTIFICATE-----
Session timeout set to 500 seconds
Client Random : 80785920EEDAD81CE329D5CDE52CBC5B24FF6040CBF73780B2F6179CA2EF8A6B
SSL-Session:
    Protocol  : unknown
    Cipher    : NONE
    Session-ID:
    Session-ID-ctx:
    Master-Key: A2B47DC531CBD2AAEA8F10D411ED9619843601AF9FF7E00283AB17631CF70CEC00000000000000000000000000000000
    TLS session ticket: NONE
    Start Time: 0
    Timeout   : 0 (sec)
    Extended master secret: no
Session Ticket CB: ticketSz = 211, ctx = initial session
I hear you fa shizzle!
gojimmypi:/mnt/c/workspace/wolfssl-pr-cert
$ ./examples/client/client -v 4 -h localhost -p 12345
        Parsing new CA
        -  issuer:  '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/[email protected]'
        -  subject: '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/[email protected]'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/[email protected]'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=Elliptic/OU=ECC/CN=www.wolfssl.com/[email protected]'
Alternate cert chain used
 issuer : /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/[email protected]
 subject: /C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/CN=www.wolfssl.com/[email protected]
 altname = example.com
 altname = 127.0.0.1
 serial number:01
SSL version is TLSv1.3
SSL cipher suite is TLS13-AES128-GCM-SHA256
SSL signature algorithm is SHA256
SSL curve name is SECP256R1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjQxMjE4
MjEyNTMwWhcNMjcwOTE0MjEyNTMwWjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO
BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn
f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X
GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM
QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq
0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ
6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCAUUwggFBMB0GA1UdDgQW
BBSzETLJkpiE4sn40DtuA0LKHw6OPDCB1AYDVR0jBIHMMIHJgBQnjmcRdMMmHT/t
M2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
bmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQL
DApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFGubcMbxo5RlGaEIWO+njSt6g8HaMAwG
A1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCK8U7o
n1my2ROs/ELEgTSfazlXnOmSXUGsBTWxJpNNStr4UYLSjX/TXG4pgI2bAhArZPXR
MQb6hSuPYzIUdno5FfNO3f3iLJAV0W9zh+7myOutQNXolB+mfiZbh7oPBlpNVXqq
xAk0i/flzNa3bEZtoeZmZkxL5RIxN1RJZKVm6+DGoUn4TcPTVaQF0qz74chpMEuY
/XIaq5+G6w29fKY9gdkBp4p5qzzO5bbDG+99Xjd7N3yRiVkRIRF8BYDhqNb5Ndob
hgZaMmdsqSvgMXuJUzdCrzSkU9J8kVBjOo5KH6OQTnxBWR3re6IUh7p2NqR3RjTy
VVDwJJ+Dg9qmqjzI
-----END CERTIFICATE-----
Session timeout set to 500 seconds
Client Random : F5BAED33FDF9449EB9193D0A89BF1AC8D36F330DF5307685118C9B479318DF22
SSL-Session:
    Protocol  : unknown
    Cipher    : NONE
    Session-ID:
    Session-ID-ctx:
    Master-Key: B05C3A1F27972D5ECB61BB38349A6EA5142A62E765B81578548951D5DCE9D60700000000000000000000000000000000
    TLS session ticket: NONE
    Start Time: 0
    Timeout   : 0 (sec)
    Extended master secret: no
Session Ticket CB: ticketSz = 211, ctx = initial session
I hear you fa shizzle!
gojimmypi:/mnt/c/workspace/wolfssl-pr-cert
$ ./examples/client/client -v 4 -h localhost -p 12345
        Parsing new CA
        -  issuer:  '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/[email protected]'
        -  subject: '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/[email protected]'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/[email protected]'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=Elliptic/OU=ECC/CN=www.wolfssl.com/[email protected]'
Alternate cert chain used
 issuer : /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/[email protected]
 subject: /C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/CN=www.wolfssl.com/[email protected]
 altname = example.com
 altname = 127.0.0.1
 serial number:01
SSL version is TLSv1.3
SSL cipher suite is TLS13-AES128-GCM-SHA256
SSL signature algorithm is SHA256
SSL curve name is SECP256R1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjQxMjE4
MjEyNTMwWhcNMjcwOTE0MjEyNTMwWjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO
BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn
f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X
GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM
QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq
0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ
6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCAUUwggFBMB0GA1UdDgQW
BBSzETLJkpiE4sn40DtuA0LKHw6OPDCB1AYDVR0jBIHMMIHJgBQnjmcRdMMmHT/t
M2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
bmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQL
DApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFGubcMbxo5RlGaEIWO+njSt6g8HaMAwG
A1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCK8U7o
n1my2ROs/ELEgTSfazlXnOmSXUGsBTWxJpNNStr4UYLSjX/TXG4pgI2bAhArZPXR
MQb6hSuPYzIUdno5FfNO3f3iLJAV0W9zh+7myOutQNXolB+mfiZbh7oPBlpNVXqq
xAk0i/flzNa3bEZtoeZmZkxL5RIxN1RJZKVm6+DGoUn4TcPTVaQF0qz74chpMEuY
/XIaq5+G6w29fKY9gdkBp4p5qzzO5bbDG+99Xjd7N3yRiVkRIRF8BYDhqNb5Ndob
hgZaMmdsqSvgMXuJUzdCrzSkU9J8kVBjOo5KH6OQTnxBWR3re6IUh7p2NqR3RjTy
VVDwJJ+Dg9qmqjzI
-----END CERTIFICATE-----
Session timeout set to 500 seconds
Client Random : BB81BC357C77177FC972889A2373EB62677D8B7EB749F4CDFD7BAD42D98CBD93
SSL-Session:
    Protocol  : unknown
    Cipher    : NONE
    Session-ID:
    Session-ID-ctx:
    Master-Key: C4F54EF3FF9B627E2094C4CB5F85BB2968B507FAC0D762CA25A1DC2462084EF800000000000000000000000000000000
    TLS session ticket: NONE
    Start Time: 0
    Timeout   : 0 (sec)
    Extended master secret: no
Session Ticket CB: ticketSz = 211, ctx = initial session
I hear you fa shizzle!
gojimmypi:/mnt/c/workspace/wolfssl-pr-cert
$ ./examples/client/client -v 4 -h localhost -p 12345
        Parsing new CA
        -  issuer:  '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/[email protected]'
        -  subject: '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/[email protected]'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/[email protected]'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=Elliptic/OU=ECC/CN=www.wolfssl.com/[email protected]'
Alternate cert chain used
 issuer : /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/[email protected]
 subject: /C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/CN=www.wolfssl.com/[email protected]
 altname = example.com
 altname = 127.0.0.1
 serial number:01
SSL version is TLSv1.3
SSL cipher suite is TLS13-AES128-GCM-SHA256
SSL signature algorithm is SHA256
SSL curve name is SECP256R1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjQxMjE4
MjEyNTMwWhcNMjcwOTE0MjEyNTMwWjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO
BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn
f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X
GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM
QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq
0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ
6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCAUUwggFBMB0GA1UdDgQW
BBSzETLJkpiE4sn40DtuA0LKHw6OPDCB1AYDVR0jBIHMMIHJgBQnjmcRdMMmHT/t
M2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
bmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQL
DApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFGubcMbxo5RlGaEIWO+njSt6g8HaMAwG
A1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCK8U7o
n1my2ROs/ELEgTSfazlXnOmSXUGsBTWxJpNNStr4UYLSjX/TXG4pgI2bAhArZPXR
MQb6hSuPYzIUdno5FfNO3f3iLJAV0W9zh+7myOutQNXolB+mfiZbh7oPBlpNVXqq
xAk0i/flzNa3bEZtoeZmZkxL5RIxN1RJZKVm6+DGoUn4TcPTVaQF0qz74chpMEuY
/XIaq5+G6w29fKY9gdkBp4p5qzzO5bbDG+99Xjd7N3yRiVkRIRF8BYDhqNb5Ndob
hgZaMmdsqSvgMXuJUzdCrzSkU9J8kVBjOo5KH6OQTnxBWR3re6IUh7p2NqR3RjTy
VVDwJJ+Dg9qmqjzI
-----END CERTIFICATE-----
Session timeout set to 500 seconds
Client Random : 09878611D5DF5A60BAFC791DB7FF889D55C32B7F1E94A366588C3D5131ADB578
SSL-Session:
    Protocol  : unknown
    Cipher    : NONE
    Session-ID:
    Session-ID-ctx:
    Master-Key: F581AF314228C7094639A907AFEBE43E8BD42551DFDA32F620E9EE6F069C7F3600000000000000000000000000000000
    TLS session ticket: NONE
    Start Time: 0
    Timeout   : 0 (sec)
    Extended master secret: no
Session Ticket CB: ticketSz = 211, ctx = initial session
I hear you fa shizzle!

Sample Espressif output:

I (15213) time lib: Successfully set time via NTP servers.
I (15222) client-tls: get target IP address
I (15262) client-tls: Host name: www.google.com
E (15262) client-tls: Create ctx success, ret = 1
I (15262) client-tls: CA cert Use SNI success
I (15263) client-tls: Loading 8408 bytes of PEM certs
I (15272) wolfssl:      Parsed new CA
I (15273) wolfssl:      -  issuer:  '/C=US/O=Google Trust Services LLC/CN=GTS Root R1'
I (15279) wolfssl:      -  subject: '/C=US/O=Google Trust Services/CN=WR2'
I (15292) wolfssl:      Parsed new CA
I (15292) wolfssl:      -  issuer:  '/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA'
I (15293) wolfssl:      -  subject: '/C=US/O=Google Trust Services LLC/CN=GTS Root R1'
I (15303) wolfssl:      Parsed new CA
I (15303) wolfssl:      -  issuer:  '/C=US/O=Google Trust Services LLC/CN=GTS Root R4'
I (15303) wolfssl:      -  subject: '/C=US/O=Google Trust Services/CN=WE2'
I (15312) wolfssl:      Parsed new CA
I (15312) wolfssl:      -  issuer:  '/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA'
I (15312) wolfssl:      -  subject: '/C=US/O=Google Trust Services LLC/CN=GTS Root R4'
I (15325) wolfssl:      Parsed new CA
I (15325) wolfssl:      -  Failed during parse of new CA
I (15325) wolfssl:      -  error ret: -152; ASN signature error, mismatched oid
I (15329) client-tls: CA cert loaded successfully
I (15329) client-tls: Using host name: www.google.com
I (15329) client-tls: Connecting to server....www.google.com (port:443)

I (15365) client-tls: WOLFSSL object created successfully
I (15365) client-tls: wolfSSL_set_fd success
I (15365) client-tls: Connect to wolfSSL server...

• edit: after the changes in Introduce WOLFSSL_DEBUG_CERTS Certificate Debug Messages #8902 (comment), here's another useful cert debugging feature: FP_MAX_BITS insight.

I (15389) client-tls: Connect to wolfSSL server...
I (15757) wolfssl: No CA signer to verify with
I (15757) wolfssl: Consider using WOLFSSL_ALT_CERT_CHAINS.
I (15760) wolfssl: Trying alternate cert chain
I (15765) wolfssl: TFM fp_exptmod_nct failed: P.used (128) > (FP_SIZE/2); FP_SIZE: 136; FP_MAX_SIZE: 4096
I (15773) wolfssl: Consider adjusting current FP_MAX_BITS: 4096
I (15782) wolfssl: mp_exptmod_nct failed
E (15784) client-tls: ERROR: wolfSSL_connect failed. ret=-1

E (15785) client-tls: wolfSSL_get_error: -155

I (15785) client-tls: Cleanup and exit

and this suggestion to turn on WOLFSSL_ALT_CERT_CHAINS, in addition to our old friend error: -188:

I (14399) client-tls: WOLFSSL object created successfully
I (14399) client-tls: wolfSSL_set_fd success
I (14399) client-tls: Connect to wolfSSL server...
I (14768) wolfssl: No CA signer to verify with
I (14769) wolfssl: Consider using WOLFSSL_ALT_CERT_CHAINS.
I (14771) wolfssl: Consider enabling WOLFSSL_ALT_CERT_CHAINS to resolve ASN_NO_SIGNER_E
E (14781) client-tls: ERROR: wolfSSL_connect failed. ret=-1

E (14785) client-tls: wolfSSL_get_error: -188

I (14789) client-tls: Cleanup and exit

Fixes zd# n/a

Testing

How did you test?

Tested manually on embedded ESP32 / ESP-IDF.

Also tested with:

#!/bin/bash

g++-12 --version

make distclean

CC=g++-12
CFLAGS="-DTEST_ALWAYS_RUN_TO_END" \
CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -DWOLFSSL_OLD_PRIME_CHECK -Werror=literal-suffix"

./configure \
  --srcdir=. \
  --disable-jobserver \
  --enable-option-checking=fatal \
  --enable-all \
  --enable-testcert \
  --enable-acert \
  --enable-dtls13 \
  --enable-dtls-mtu \
  --enable-dtls-frag-ch \
  --enable-dtlscid \
  --enable-quic \
  --with-sys-crypto-policy \
  --enable-debug \
  --enable-debug-trace-errcodes \
  --enable-sp-math-all \
  --enable-experimental \
  --enable-kyber=yes,original \
  --enable-lms \
  --enable-xmss \
  --enable-dilithium \
  --enable-dual-alg-certs \
  --disable-qt \
  CC=g++-12 \
  CFLAGS="-DTEST_ALWAYS_RUN_TO_END" \
  CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -DWOLFSSL_OLD_PRIME_CHECK -Werror=literal-suffix"


make -j || exit 1

./configure \
  --srcdir=. \
  --disable-jobserver \
  --enable-option-checking=fatal \
  --enable-c89 \
  --enable-all \
  --disable-all-osp \
  --disable-opensslall \
  --enable-cryptonly \
  --enable-testcert \
  --enable-acert \
  --disable-examples \
  --disable-crypttests \
  --disable-benchmark \
  CC=gcc \
  CFLAGS="-DTEST_ALWAYS_RUN_TO_END -std=c89 -Wno-overlength-strings -pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -Wvla -Wdeclaration-after-statement -Wconversion -DWOLF_NO_VARIADIC_MACROS -DXSNPRINTF=snprintf -D_ISOC99_SOURCE=1"

  make -j || exit 1


  CC=g++-12 \
CFLAGS="-DTEST_ALWAYS_RUN_TO_END" \
CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -DWOLFSSL_OLD_PRIME_CHECK -Werror=literal-suffix" \
./configure \
  --srcdir=. \
  --disable-jobserver \
  --enable-option-checking=fatal \
  --enable-all \
  --enable-testcert \
  --enable-acert \
  --enable-dtls13 \
  --enable-dtls-mtu \
  --enable-dtls-frag-ch \
  --enable-dtlscid \
  --enable-quic \
  --with-sys-crypto-policy \
  --enable-debug \
  --enable-debug-trace-errcodes \
  --enable-sp-math-all \
  --enable-experimental \
  --enable-kyber=yes,original \
  --enable-lms \
  --enable-xmss \
  --enable-dilithium \
  --enable-dual-alg-certs \
  --disable-qt

  make -j || exit 1

  ./configure --enable-all
  make -j || exit 1

  ./configure --enable-all CPPFLAGS="-DWOLFSSL_DEBUG_CERTS"
  make -j || exit 1

Checklist

• added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[dgarske]

Jenkins retest this please:

Found unhandled hudson.remoting.RequestAbortedException exception:
java.io.StreamCorruptedException: invalid stream header: 636F7272

[dgarske]

Please consider add a test to os-check.yml and also adding a small comment about the build option at top of logging.c.

Failure: ./configure CFLAGS="-DWOLFSSL_DEBUG_CERTS" && make

wolfcrypt/src/logging.c:307:6: error: no previous prototype for 'WOLFSSL_MSG_EX' [-Werror=missing-prototypes]
  307 | void WOLFSSL_MSG_EX(const char* fmt, ...)
      |      ^~~~~~~~~~~~~~
wolfcrypt/src/logging.c:356:6: error: no previous prototype for 'WOLFSSL_MSG' [-Werror=missing-prototypes]
  356 | void WOLFSSL_MSG(const char* msg)
      |      ^~~~~~~~~~~
wolfcrypt/src/logging.c:448:6: error: no previous prototype for 'WOLFSSL_ENTER' [-Werror=missing-prototypes]
  448 | void WOLFSSL_ENTER(const char* msg)
      |      ^~~~~~~~~~~~~
wolfcrypt/src/logging.c:477:6: error: no previous prototype for 'WOLFSSL_LEAVE' [-Werror=missing-prototypes]
  477 | void WOLFSSL_LEAVE(const char* msg, int ret)
      |      ^~~~~~~~~~~~~
wolfcrypt/src/logging.c:518:17: error: no previous prototype for 'WOLFSSL_IS_DEBUG_ON' [-Werror=missing-prototypes]
  518 | WOLFSSL_API int WOLFSSL_IS_DEBUG_ON(void)
      |                 ^~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[2]: *** [Makefile:8233: wolfcrypt/src/src_libwolfssl_la-logging.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: Leaving directory '/home/davidgarske/GitHub/wolfssl'
make[1]: *** [Makefile:10156: check-recursive] Error 1
make[1]: Leaving directory '/home/davidgarske/GitHub/wolfssl'
make: *** [Makefile:10650: check] Error 2```

[gojimmypi]

After addressing items in the most recent code review from @dgarske, I added additional WOLFSSL_MSG_CERT messages to more files: asn.c, rsa.c, tfm.c, internal.c

[gojimmypi]

Please consider add a test to os-check.yml
Failure: ./configure CFLAGS="-DWOLFSSL_DEBUG_CERTS" && make

Added --enable-all CPPFLAGS=-DWOLFSSL_DEBUG_CERTS to configs in os-check.yml

also adding a small comment about the build option at top of logging.c.

done

• Note PR description updated.

[dgarske]

As discussed here are some patches to cleanup things.
patch.txt

[gojimmypi]

Thank you @dgarske ! Nice improvement in your suggested patch. Applied in 4aeadb8

Confirmed working on my ESP32 wolfssl_client WIP as well as both of these:

make clean && ./configure --enable-all CFLAGS="-DWOLFSSL_DEBUG_CERTS" && make
make clean && ./configure CFLAGS="-DWOLFSSL_DEBUG_CERTS" && make

[dgarske]

Looks great otherwise!

[gojimmypi]

Jenkins retest this please

for wolf-linux-cloud-node-[n] is offline

[douzzer]

have you looked at what WOLFSSL_DEBUG_CERTIFICATE_LOADS does?

$ git grep WOLFSSL_DEBUG_CERTIFICATE_LOADS
README.md:* Added WOLFSSL_DEBUG_PRINTF and WOLFSSL_DEBUG_CERTIFICATE_LOADS for improved debugging output. (PR #8769, PR #8770)
src/ssl_load.c:#ifdef WOLFSSL_DEBUG_CERTIFICATE_LOADS
src/ssl_load.c:#ifdef WOLFSSL_DEBUG_CERTIFICATE_LOADS
src/ssl_load.c:#endif /* WOLFSSL_DEBUG_CERTIFICATE_LOADS */
src/ssl_load.c:#ifdef WOLFSSL_DEBUG_CERTIFICATE_LOADS
src/ssl_load.c:#endif /* WOLFSSL_DEBUG_CERTIFICATE_LOADS */
src/ssl_load.c:#ifdef WOLFSSL_DEBUG_CERTIFICATE_LOADS

it looks like you're getting us a lot more coverage with this PR, but I don't think it makes sense to have both WOLFSSL_DEBUG_CERTIFICATE_LOADS and WOLFSSL_DEBUG_CERTS. at a minimum we should settle on a consistent naming scheme for the feature macros that either merges them into one, or gives them names that make clear what's different between them.

[gojimmypi]

Hi @douzzer - yes, I recently noticed the (relatively new?) WOLFSSL_DEBUG_CERTIFICATE_LOADS and WOLFSSL_DEBUG_PRINTF.

I've modelled the WOLFSSL_DEBUG_CERTS in this PR after the existing WOLFSSL_DEBUG.

I'm curious why WOLFSSL_DEBUG_PRINTF was introduced when there's been WOLFSSL_MSG and WOLFSSL_MSG_EX widely in use?

There are relatively few instances of WOLFSSL_DEBUG_CERTIFICATE_LOAD (only 4 total, and only in ssl_load.c).

Is there any pressing reason to have WOLFSSL_DEBUG_CERTIFICATE_LOAD separate?

Any objection to have the WOLFSSL_DEBUG_CERTIFICATE_LOAD merged into WOLFSSL_DEBUG_CERTS? I can do that either in this PR, or a future PR.

I already have more certificate debugging in my dev branch, this PR was mainly to introduce the concept.

In any case, I'm glad you also had the good idea to have some addition, certificate-specific debugging.

Please let me know you preference on how to proceed.

[dgarske]

Please resolve merge conflicts. Please see if changing to a simplier WOLFSSL_DEBUG_CERTIFICATE_LOADS makes more sense. If not then please cleanup WOLFSSL_DEBUG_CERTIFICATE_LOADS.

[gojimmypi]

Hi @dgarske and @douzzer -

There were a small number of WOLFSSL_DEBUG_CERTIFICATE_LOADS . I propose changing them to WOLFSSL_DEBUG_CERTS.

I applied this change in 7020b3a, and left a note in logging.h:

/* WOLFSSL_DEBUG_PRINTF_FN is intended to be used only in wolfssl_log(),
 * but is exposed in header as a customer cross-platform debugging capability.
 *
 * All general wolfSSL debugging should use:
 *   WOLFSSL_MSG and WOLFSSL_MSG_EX
 *
 * All wolfSSL certificate-related debugging should use:
 *   WOLFSSL_MSG_CERT and WOLFSSL_MSG_CERT_EX
 *
 * For custom debugging output, define your own WOLFSSL_DEBUG_PRINTF_FN
 */

[dgarske]

Jenkins retest this please: "AgentOfflineException"

[douzzer]

Please do not substitute WOLFSSL_MSG_CERT_EX() for WOLFSSL_DEBUG_PRINTF().

WOLFSSL_DEBUG_PRINTF() is a bufferless, non-truncating debug message renderer.

The refactor in ssl_load.c to use WOLFSSL_MSG_CERT_EX() causes destructive message truncation.

Also, there are merge conflicts on logging.c.