CyaSSL and VeriSign

Help
elsevers
2009-08-28
2013-04-23
  • elsevers

    elsevers - 2009-08-28

    Hello,

    I am having an issue getting CyaSSL to verify server certificates signed by VeriSign. I get a hash mismatch between the server's certificate and the CA (error code -155: ASN_SIG_CONFIRM_E)

    To demonstrate this, I have been able to reproduce the problem by having the example project "client"  connect to https://www.amazon.com. To do this: simply make these two changes to the supplied project:
    1) change the value of yasslIP to "www.amazon.com" and the value of yasslPort to 443.
    2) replace ca-cert.pem (in \certs\) with VeriSign's generation 2, class 3 pem certificate.
    Then, run the program, and you will experience the above problem.

    (note: I made no other changes to the example client code. All defines and options were left as-is in the 1.0.6 download. I compiled and ran this from Visual Studio 6. I did confirm that I am using the correct CA by connecting to Amazon via curl.exe with this CA)

    I also have the same issue with servers whose certificates are signed by VeriSign generation 1, class 3.

    Any insight you might have would be greatly appreciated.

    Thanks!
    Eric

     
    • elsevers

      elsevers - 2009-08-29

      Update:

      I apologize, I had an error in my last post: in step 1 - set the value of yasslIP to "www.amazon.com"

      You can download the VeriSign root CA here: https://www.verisign.com/support/roots.html (you have to give them your email address first).

      Again, any help would be greatly appreciated.

      Thanks,
      Eric

       
      • Todd Ouska

        Todd Ouska - 2009-08-31

        Hi Eric,

        Thanks for the report.  I just verified the problem you're having.  I'll have more time tomorrow to look at it.  My first guess is that it might have something to do with the fact that the Verisign CA cert has a 2048 bit key but only a 1024 bit signature value.  I'll let you know what I find.

         
    • elsevers

      elsevers - 2009-08-31

      Great, thank you! Let me know what you find out.

      -Eric

       
      • Todd Ouska

        Todd Ouska - 2009-09-01

        Figured out the problem and it had nothing to do with the key size or signature length.

        The amazon cert (A) is signed by Verisign Class 3 Secure Server CA-G2 (B).

        You correctly told CyaSSL to trust certs signed by B.  But CyaSSL checks every cert in the chain as the standard recommends.  And cert B is signed by Verisign Class 3 Public Primary Certificate Authority-G2 (C).  Since CyaSSL hadn't been told to also trust C, it's rejecting B because B's signer is unknown.  You'll also need to load cert C as a trusted cert like B.

        You'll notice all browsers have both of the certs in their trust chain.

         
    • elsevers

      elsevers - 2009-09-02

      Thanks, Todd. I have gotten things working.

      Sorry to have taken up your time on this -- I appreciate that you explained the issue so clearly to me. I am relatively new to SSL.

      -Eric

       
      • Todd Ouska

        Todd Ouska - 2009-09-02

        No problem,  let me know what else you run into.

         

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks