Introduce WOLFSSL_DEBUG_CERTS Certificate Debug Messages

[gojimmypi]

Description

Adds a new troubleshooting capability to view only interesting certificate-related messages:

WOLFSSL_API int WOLFSSL_MSG_CERT(const char* msg);
WOLFSSL_API int WOLFSSL_MSG_CERT_EX(const char* fmt, ...);
WOLFSSL_API int wolfSSL_CertDebugging_ON(void);
WOLFSSL_API int wolfSSL_CertDebugging_OFF(void);
WOLFSSL_API int WOLFSSL_IS_CERT_DEBUG_ON(void);

Also a new macro: WOLFSSL_MSG_CERT_LOG to print during either DEBUG_WOLFSSL or WOLFSSL_DEBUG_CERTS.

Improves debugging messages: modifies WOLFSSL_MSG_EX and WOLFSSL_MSG_CERT_EX on no-variadic macro compiler such as Watcom.

Also adds WOLFSSL_DEBUG_LINE_ENDING to suppress LF characters on message printed for systems that supply their own line feeds during messaging, such as the Espressif ESP_LOG.

Turning on WOLFSSL_DEBUG always enables WOLFSSL_DEBUG_CERTS.

However WOLFSSL_DEBUG_CERTS can be used without WOLFSSL_DEBUG.

Macros of interest related to this PR:

#define DEBUG_WOLFSSL
#define WOLFSSL_DEBUG_CERTS
#define NO_WOLFSSL_DEBUG_CERTS
#define WOLFSSL_DEBUG_ERRORS_ONLY

/* Variadic macros are typically not manually defined, but can be used during testing: */
#define WOLF_NO_VARIADIC_MACROS

Which Messages Displayed

MSG: WOLFSSL_MSG and WOLFSSL_MSG_EX

Standard wolfSSL debugging.

CERT: WOLFSSL_MSG_CERT and WOLFSSL_MSG_CERT_EX

Certificate Debugging: on by default with DEBUG_WOLFSSL , but can disable certificate-specific verbose debugging with NO_WOLFSSL_DEBUG_CERTS.

These will typically be the larger and more verbose messages specific to certificate debugging.

LOG: WOLFSSL_MSG_CERT_LOG

These are certificate-debugging related messages, that are always printed with DEBUG_WOLFSSL, even when verbose certificate debugging turned off with NO_WOLFSSL_DEBUG_CERTS.

These will be typically small debug messages, that although certificate related, are also standard wolfssl debugging.

Debug	No Cert Debug	Cert Debug	MSG	CERT	LOG
			-----	-----	-----
		WOLFSSL_DEBUG_CERTS	-----	show	show
	NO_WOLFSSL_DEBUG_CERTS		-----	-----	-----
	NO_WOLFSSL_DEBUG_CERTS	WOLFSSL_DEBUG_CERTS	-----	-----	-----
DEBUG_WOLFSSL			show	show	show
DEBUG_WOLFSSL		WOLFSSL_DEBUG_CERTS	show	show	show
DEBUG_WOLFSSL	NO_WOLFSSL_DEBUG_CERTS		show	-----	show
DEBUG_WOLFSSL	NO_WOLFSSL_DEBUG_CERTS	WOLFSSL_DEBUG_CERTS	show	-----	show

Why?

Turning on full debugging is often overly verbose. On embedded devices the delay in printing debug messages can have an adverse effect on timing-critical code, such as certificate validation during TLS connections.

Inspiration

See wolfSSL forum questions related to certificates. For me, recently:

• Simple SSL connection providing root certs
• Root certificates included in wolfSSL

Usage

To use, add to user_settings.h:

#define WOLFSSL_DEBUG_CERTS

or from command-line:

make clean && ./configure --enable-all CFLAGS="-DWOLFSSL_DEBUG_CERTS" && make

Launch a server:

./examples/server/server -v 4 -l TLS_AES_128_GCM_SHA256 -p 12345

Launch a client:

./examples/client/client -v 4 -h localhost -p 12345

Sample Linux Output:

Server:

$ ./examples/server/server -v 4 -l TLS_AES_128_GCM_SHA256 -p 12345
        Parsing new CA
        -  issuer:  '/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        Parsing new CA
        -  issuer:  '/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com'
Early Data was not sent.
Alternate cert chain used
 issuer : /C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
 subject: /C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
 altname = example.com
 altname = 127.0.0.1
 ser:ec
SSL version is TLSv1.3
SSL cipher suite is TLS13-AES128-GCM-SHA256
SSL signature algorithm is SHA256
SSL curve name is SECP256R1
Server Random : 057164AF833860C9C1FC2CCE25F7B9F3F28B748B1B04F2BED31A1EA09E323E8E
Client message: hello wolfssl!

Client:

$ ./examples/client/client -v 4 -h localhost -p 12345
        Parsing new CA
        -  issuer:  '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=Elliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
Alternate cert chain used
 issuer : /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
 subject: /C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
 altname = example.com
 altname = 127.0.0.1
 serial number:01
SSL version is TLSv1.3
SSL cipher suite is TLS13-AES128-GCM-SHA256
SSL signature algorithm is SHA256
SSL curve name is SECP256R1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjQxMjE4
MjEyNTMwWhcNMjcwOTE0MjEyNTMwWjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO
BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn
f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X
GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM
QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq
0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ
6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCAUUwggFBMB0GA1UdDgQW
BBSzETLJkpiE4sn40DtuA0LKHw6OPDCB1AYDVR0jBIHMMIHJgBQnjmcRdMMmHT/t
M2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
bmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQL
DApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFGubcMbxo5RlGaEIWO+njSt6g8HaMAwG
A1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCK8U7o
n1my2ROs/ELEgTSfazlXnOmSXUGsBTWxJpNNStr4UYLSjX/TXG4pgI2bAhArZPXR
MQb6hSuPYzIUdno5FfNO3f3iLJAV0W9zh+7myOutQNXolB+mfiZbh7oPBlpNVXqq
xAk0i/flzNa3bEZtoeZmZkxL5RIxN1RJZKVm6+DGoUn4TcPTVaQF0qz74chpMEuY
/XIaq5+G6w29fKY9gdkBp4p5qzzO5bbDG+99Xjd7N3yRiVkRIRF8BYDhqNb5Ndob
hgZaMmdsqSvgMXuJUzdCrzSkU9J8kVBjOo5KH6OQTnxBWR3re6IUh7p2NqR3RjTy
VVDwJJ+Dg9qmqjzI
-----END CERTIFICATE-----
Session timeout set to 500 seconds
Client Random : 80785920EEDAD81CE329D5CDE52CBC5B24FF6040CBF73780B2F6179CA2EF8A6B
SSL-Session:
    Protocol  : unknown
    Cipher    : NONE
    Session-ID:
    Session-ID-ctx:
    Master-Key: A2B47DC531CBD2AAEA8F10D411ED9619843601AF9FF7E00283AB17631CF70CEC00000000000000000000000000000000
    TLS session ticket: NONE
    Start Time: 0
    Timeout   : 0 (sec)
    Extended master secret: no
Session Ticket CB: ticketSz = 211, ctx = initial session
I hear you fa shizzle!
gojimmypi:/mnt/c/workspace/wolfssl-pr-cert
$ ./examples/client/client -v 4 -h localhost -p 12345
        Parsing new CA
        -  issuer:  '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=Elliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
Alternate cert chain used
 issuer : /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
 subject: /C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
 altname = example.com
 altname = 127.0.0.1
 serial number:01
SSL version is TLSv1.3
SSL cipher suite is TLS13-AES128-GCM-SHA256
SSL signature algorithm is SHA256
SSL curve name is SECP256R1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjQxMjE4
MjEyNTMwWhcNMjcwOTE0MjEyNTMwWjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO
BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn
f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X
GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM
QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq
0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ
6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCAUUwggFBMB0GA1UdDgQW
BBSzETLJkpiE4sn40DtuA0LKHw6OPDCB1AYDVR0jBIHMMIHJgBQnjmcRdMMmHT/t
M2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
bmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQL
DApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFGubcMbxo5RlGaEIWO+njSt6g8HaMAwG
A1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCK8U7o
n1my2ROs/ELEgTSfazlXnOmSXUGsBTWxJpNNStr4UYLSjX/TXG4pgI2bAhArZPXR
MQb6hSuPYzIUdno5FfNO3f3iLJAV0W9zh+7myOutQNXolB+mfiZbh7oPBlpNVXqq
xAk0i/flzNa3bEZtoeZmZkxL5RIxN1RJZKVm6+DGoUn4TcPTVaQF0qz74chpMEuY
/XIaq5+G6w29fKY9gdkBp4p5qzzO5bbDG+99Xjd7N3yRiVkRIRF8BYDhqNb5Ndob
hgZaMmdsqSvgMXuJUzdCrzSkU9J8kVBjOo5KH6OQTnxBWR3re6IUh7p2NqR3RjTy
VVDwJJ+Dg9qmqjzI
-----END CERTIFICATE-----
Session timeout set to 500 seconds
Client Random : F5BAED33FDF9449EB9193D0A89BF1AC8D36F330DF5307685118C9B479318DF22
SSL-Session:
    Protocol  : unknown
    Cipher    : NONE
    Session-ID:
    Session-ID-ctx:
    Master-Key: B05C3A1F27972D5ECB61BB38349A6EA5142A62E765B81578548951D5DCE9D60700000000000000000000000000000000
    TLS session ticket: NONE
    Start Time: 0
    Timeout   : 0 (sec)
    Extended master secret: no
Session Ticket CB: ticketSz = 211, ctx = initial session
I hear you fa shizzle!
gojimmypi:/mnt/c/workspace/wolfssl-pr-cert
$ ./examples/client/client -v 4 -h localhost -p 12345
        Parsing new CA
        -  issuer:  '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=Elliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
Alternate cert chain used
 issuer : /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
 subject: /C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
 altname = example.com
 altname = 127.0.0.1
 serial number:01
SSL version is TLSv1.3
SSL cipher suite is TLS13-AES128-GCM-SHA256
SSL signature algorithm is SHA256
SSL curve name is SECP256R1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjQxMjE4
MjEyNTMwWhcNMjcwOTE0MjEyNTMwWjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO
BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn
f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X
GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM
QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq
0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ
6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCAUUwggFBMB0GA1UdDgQW
BBSzETLJkpiE4sn40DtuA0LKHw6OPDCB1AYDVR0jBIHMMIHJgBQnjmcRdMMmHT/t
M2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
bmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQL
DApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFGubcMbxo5RlGaEIWO+njSt6g8HaMAwG
A1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCK8U7o
n1my2ROs/ELEgTSfazlXnOmSXUGsBTWxJpNNStr4UYLSjX/TXG4pgI2bAhArZPXR
MQb6hSuPYzIUdno5FfNO3f3iLJAV0W9zh+7myOutQNXolB+mfiZbh7oPBlpNVXqq
xAk0i/flzNa3bEZtoeZmZkxL5RIxN1RJZKVm6+DGoUn4TcPTVaQF0qz74chpMEuY
/XIaq5+G6w29fKY9gdkBp4p5qzzO5bbDG+99Xjd7N3yRiVkRIRF8BYDhqNb5Ndob
hgZaMmdsqSvgMXuJUzdCrzSkU9J8kVBjOo5KH6OQTnxBWR3re6IUh7p2NqR3RjTy
VVDwJJ+Dg9qmqjzI
-----END CERTIFICATE-----
Session timeout set to 500 seconds
Client Random : BB81BC357C77177FC972889A2373EB62677D8B7EB749F4CDFD7BAD42D98CBD93
SSL-Session:
    Protocol  : unknown
    Cipher    : NONE
    Session-ID:
    Session-ID-ctx:
    Master-Key: C4F54EF3FF9B627E2094C4CB5F85BB2968B507FAC0D762CA25A1DC2462084EF800000000000000000000000000000000
    TLS session ticket: NONE
    Start Time: 0
    Timeout   : 0 (sec)
    Extended master secret: no
Session Ticket CB: ticketSz = 211, ctx = initial session
I hear you fa shizzle!
gojimmypi:/mnt/c/workspace/wolfssl-pr-cert
$ ./examples/client/client -v 4 -h localhost -p 12345
        Parsing new CA
        -  issuer:  '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        Parsing new CA
        -  issuer:  '/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
        -  subject: '/C=US/ST=Washington/L=Seattle/O=Elliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com'
Alternate cert chain used
 issuer : /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
 subject: /C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
 altname = example.com
 altname = 127.0.0.1
 serial number:01
SSL version is TLSv1.3
SSL cipher suite is TLS13-AES128-GCM-SHA256
SSL signature algorithm is SHA256
SSL curve name is SECP256R1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjQxMjE4
MjEyNTMwWhcNMjcwOTE0MjEyNTMwWjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO
BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn
f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X
GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM
QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq
0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ
6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCAUUwggFBMB0GA1UdDgQW
BBSzETLJkpiE4sn40DtuA0LKHw6OPDCB1AYDVR0jBIHMMIHJgBQnjmcRdMMmHT/t
M2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
bmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQL
DApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFGubcMbxo5RlGaEIWO+njSt6g8HaMAwG
A1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCK8U7o
n1my2ROs/ELEgTSfazlXnOmSXUGsBTWxJpNNStr4UYLSjX/TXG4pgI2bAhArZPXR
MQb6hSuPYzIUdno5FfNO3f3iLJAV0W9zh+7myOutQNXolB+mfiZbh7oPBlpNVXqq
xAk0i/flzNa3bEZtoeZmZkxL5RIxN1RJZKVm6+DGoUn4TcPTVaQF0qz74chpMEuY
/XIaq5+G6w29fKY9gdkBp4p5qzzO5bbDG+99Xjd7N3yRiVkRIRF8BYDhqNb5Ndob
hgZaMmdsqSvgMXuJUzdCrzSkU9J8kVBjOo5KH6OQTnxBWR3re6IUh7p2NqR3RjTy
VVDwJJ+Dg9qmqjzI
-----END CERTIFICATE-----
Session timeout set to 500 seconds
Client Random : 09878611D5DF5A60BAFC791DB7FF889D55C32B7F1E94A366588C3D5131ADB578
SSL-Session:
    Protocol  : unknown
    Cipher    : NONE
    Session-ID:
    Session-ID-ctx:
    Master-Key: F581AF314228C7094639A907AFEBE43E8BD42551DFDA32F620E9EE6F069C7F3600000000000000000000000000000000
    TLS session ticket: NONE
    Start Time: 0
    Timeout   : 0 (sec)
    Extended master secret: no
Session Ticket CB: ticketSz = 211, ctx = initial session
I hear you fa shizzle!

Sample Espressif output:

I (15213) time lib: Successfully set time via NTP servers.
I (15222) client-tls: get target IP address
I (15262) client-tls: Host name: www.google.com
E (15262) client-tls: Create ctx success, ret = 1
I (15262) client-tls: CA cert Use SNI success
I (15263) client-tls: Loading 8408 bytes of PEM certs
I (15272) wolfssl:      Parsed new CA
I (15273) wolfssl:      -  issuer:  '/C=US/O=Google Trust Services LLC/CN=GTS Root R1'
I (15279) wolfssl:      -  subject: '/C=US/O=Google Trust Services/CN=WR2'
I (15292) wolfssl:      Parsed new CA
I (15292) wolfssl:      -  issuer:  '/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA'
I (15293) wolfssl:      -  subject: '/C=US/O=Google Trust Services LLC/CN=GTS Root R1'
I (15303) wolfssl:      Parsed new CA
I (15303) wolfssl:      -  issuer:  '/C=US/O=Google Trust Services LLC/CN=GTS Root R4'
I (15303) wolfssl:      -  subject: '/C=US/O=Google Trust Services/CN=WE2'
I (15312) wolfssl:      Parsed new CA
I (15312) wolfssl:      -  issuer:  '/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA'
I (15312) wolfssl:      -  subject: '/C=US/O=Google Trust Services LLC/CN=GTS Root R4'
I (15325) wolfssl:      Parsed new CA
I (15325) wolfssl:      -  Failed during parse of new CA
I (15325) wolfssl:      -  error ret: -152; ASN signature error, mismatched oid
I (15329) client-tls: CA cert loaded successfully
I (15329) client-tls: Using host name: www.google.com
I (15329) client-tls: Connecting to server....www.google.com (port:443)

I (15365) client-tls: WOLFSSL object created successfully
I (15365) client-tls: wolfSSL_set_fd success
I (15365) client-tls: Connect to wolfSSL server...

• edit: after the changes in Introduce WOLFSSL_DEBUG_CERTS Certificate Debug Messages #8902 (comment), here's another useful cert debugging feature: FP_MAX_BITS insight.

I (15389) client-tls: Connect to wolfSSL server...
I (15757) wolfssl: No CA signer to verify with
I (15757) wolfssl: Consider using WOLFSSL_ALT_CERT_CHAINS.
I (15760) wolfssl: Trying alternate cert chain
I (15765) wolfssl: TFM fp_exptmod_nct failed: P.used (128) > (FP_SIZE/2); FP_SIZE: 136; FP_MAX_SIZE: 4096
I (15773) wolfssl: Consider adjusting current FP_MAX_BITS: 4096
I (15782) wolfssl: mp_exptmod_nct failed
E (15784) client-tls: ERROR: wolfSSL_connect failed. ret=-1

E (15785) client-tls: wolfSSL_get_error: -155

I (15785) client-tls: Cleanup and exit

and this suggestion to turn on WOLFSSL_ALT_CERT_CHAINS, in addition to our old friend error: -188:

I (14399) client-tls: WOLFSSL object created successfully
I (14399) client-tls: wolfSSL_set_fd success
I (14399) client-tls: Connect to wolfSSL server...
I (14768) wolfssl: No CA signer to verify with
I (14769) wolfssl: Consider using WOLFSSL_ALT_CERT_CHAINS.
I (14771) wolfssl: Consider enabling WOLFSSL_ALT_CERT_CHAINS to resolve ASN_NO_SIGNER_E
E (14781) client-tls: ERROR: wolfSSL_connect failed. ret=-1

E (14785) client-tls: wolfSSL_get_error: -188

I (14789) client-tls: Cleanup and exit

Fixes zd# n/a

Testing

How did you test?

Tested manually on embedded ESP32 / ESP-IDF.

Also tested with:

#!/bin/bash

g++-12 --version

make distclean

CC=g++-12
CFLAGS="-DTEST_ALWAYS_RUN_TO_END" \
CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -DWOLFSSL_OLD_PRIME_CHECK -Werror=literal-suffix"

./configure \
  --srcdir=. \
  --disable-jobserver \
  --enable-option-checking=fatal \
  --enable-all \
  --enable-testcert \
  --enable-acert \
  --enable-dtls13 \
  --enable-dtls-mtu \
  --enable-dtls-frag-ch \
  --enable-dtlscid \
  --enable-quic \
  --with-sys-crypto-policy \
  --enable-debug \
  --enable-debug-trace-errcodes \
  --enable-sp-math-all \
  --enable-experimental \
  --enable-kyber=yes,original \
  --enable-lms \
  --enable-xmss \
  --enable-dilithium \
  --enable-dual-alg-certs \
  --disable-qt \
  CC=g++-12 \
  CFLAGS="-DTEST_ALWAYS_RUN_TO_END" \
  CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -DWOLFSSL_OLD_PRIME_CHECK -Werror=literal-suffix"


make -j || exit 1

./configure \
  --srcdir=. \
  --disable-jobserver \
  --enable-option-checking=fatal \
  --enable-c89 \
  --enable-all \
  --disable-all-osp \
  --disable-opensslall \
  --enable-cryptonly \
  --enable-testcert \
  --enable-acert \
  --disable-examples \
  --disable-crypttests \
  --disable-benchmark \
  CC=gcc \
  CFLAGS="-DTEST_ALWAYS_RUN_TO_END -std=c89 -Wno-overlength-strings -pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -Wvla -Wdeclaration-after-statement -Wconversion -DWOLF_NO_VARIADIC_MACROS -DXSNPRINTF=snprintf -D_ISOC99_SOURCE=1"

  make -j || exit 1


  CC=g++-12 \
CFLAGS="-DTEST_ALWAYS_RUN_TO_END" \
CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -DWOLFSSL_OLD_PRIME_CHECK -Werror=literal-suffix" \
./configure \
  --srcdir=. \
  --disable-jobserver \
  --enable-option-checking=fatal \
  --enable-all \
  --enable-testcert \
  --enable-acert \
  --enable-dtls13 \
  --enable-dtls-mtu \
  --enable-dtls-frag-ch \
  --enable-dtlscid \
  --enable-quic \
  --with-sys-crypto-policy \
  --enable-debug \
  --enable-debug-trace-errcodes \
  --enable-sp-math-all \
  --enable-experimental \
  --enable-kyber=yes,original \
  --enable-lms \
  --enable-xmss \
  --enable-dilithium \
  --enable-dual-alg-certs \
  --disable-qt

  make -j || exit 1

  ./configure --enable-all
  make -j || exit 1

  ./configure --enable-all CPPFLAGS="-DWOLFSSL_DEBUG_CERTS"
  make -j || exit 1

Checklist

• added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[dgarske]

Jenkins retest this please:

Found unhandled hudson.remoting.RequestAbortedException exception:
java.io.StreamCorruptedException: invalid stream header: 636F7272

[dgarske]

Please consider add a test to os-check.yml and also adding a small comment about the build option at top of logging.c.

Failure: ./configure CFLAGS="-DWOLFSSL_DEBUG_CERTS" && make

wolfcrypt/src/logging.c:307:6: error: no previous prototype for 'WOLFSSL_MSG_EX' [-Werror=missing-prototypes]
  307 | void WOLFSSL_MSG_EX(const char* fmt, ...)
      |      ^~~~~~~~~~~~~~
wolfcrypt/src/logging.c:356:6: error: no previous prototype for 'WOLFSSL_MSG' [-Werror=missing-prototypes]
  356 | void WOLFSSL_MSG(const char* msg)
      |      ^~~~~~~~~~~
wolfcrypt/src/logging.c:448:6: error: no previous prototype for 'WOLFSSL_ENTER' [-Werror=missing-prototypes]
  448 | void WOLFSSL_ENTER(const char* msg)
      |      ^~~~~~~~~~~~~
wolfcrypt/src/logging.c:477:6: error: no previous prototype for 'WOLFSSL_LEAVE' [-Werror=missing-prototypes]
  477 | void WOLFSSL_LEAVE(const char* msg, int ret)
      |      ^~~~~~~~~~~~~
wolfcrypt/src/logging.c:518:17: error: no previous prototype for 'WOLFSSL_IS_DEBUG_ON' [-Werror=missing-prototypes]
  518 | WOLFSSL_API int WOLFSSL_IS_DEBUG_ON(void)
      |                 ^~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[2]: *** [Makefile:8233: wolfcrypt/src/src_libwolfssl_la-logging.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: Leaving directory '/home/davidgarske/GitHub/wolfssl'
make[1]: *** [Makefile:10156: check-recursive] Error 1
make[1]: Leaving directory '/home/davidgarske/GitHub/wolfssl'
make: *** [Makefile:10650: check] Error 2```

[gojimmypi]

After addressing items in the most recent code review from @dgarske, I added additional WOLFSSL_MSG_CERT messages to more files: asn.c, rsa.c, tfm.c, internal.c

[gojimmypi]

Please consider add a test to os-check.yml
Failure: ./configure CFLAGS="-DWOLFSSL_DEBUG_CERTS" && make

Added --enable-all CPPFLAGS=-DWOLFSSL_DEBUG_CERTS to configs in os-check.yml

also adding a small comment about the build option at top of logging.c.

done

• Note PR description updated.

[dgarske]

As discussed here are some patches to cleanup things.
patch.txt

[gojimmypi]

Thank you @dgarske ! Nice improvement in your suggested patch. Applied in 4aeadb8

Confirmed working on my ESP32 wolfssl_client WIP as well as both of these:

make clean && ./configure --enable-all CFLAGS="-DWOLFSSL_DEBUG_CERTS" && make
make clean && ./configure CFLAGS="-DWOLFSSL_DEBUG_CERTS" && make

[dgarske]

Looks great otherwise!

[gojimmypi]

Hi @dgarske - thanks for the code review and suggestions.

I've added a new macro: WOLFSSL_MSG_CERT_LOG to print during either DEBUG_WOLFSSL or WOLFSSL_DEBUG_CERTS.

The recent changes are in a separate commit 934d947 for ease of visibility pending any final changes.

[dgarske]

Jenkins retest this please: PRB-dtls.txt_27 failed with " ClienSSL_write msg error -397, Peer closed underlying transport Error". Likely UDP issue.

Fixed

[dgarske]

@JacobBarthelmeh or @douzzer can you please review this as well and merge if you approve? Thank you

[gojimmypi]

Thanks @douzzer for pointing out the off-topic Watcom compiler stuff; removed from this PR (but still problematic, needs PR).

Existing WOLFSSL_DEBUG_PRINTF and WOLFSSL_DEBUG_CERTIFICATE_LOADS changes in this PR reverted; to address later.

Updated comments in logging.h related to WOLFSSL_DEBUG_PRINTFandWOLFSSL_DEBUG_CERTIFICATE_LOADS`.

Nothing recently changed in new .github/workflows/os-check.yml; it is as-intended, unless I don't understand the problem.

Refreshed from upstream, merge conflict resolved, squashed to a single commit.

• Update: I've created Change certs_test sizeof const to define for Watcom #9099 to address the Watcom compiler issue.

[gojimmypi]

Pushed a new commit since the embedded // in a block comment was flagged as problem:

/*
 ...
 *   #ifdef WOLFSSL_DEBUG_PRINTF_FN
 *       #define [user-supplied definition]
 *   #elif defined(ARDUINO)
 *      // ARDUINO only has print and sprintf, no printf on some targets.
 *   #elif defined(WOLFSSL_LOG_PRINTF) || defined(WOLFSSL_DEOS)
 *       #define WOLFSSL_DEBUG_PRINTF_FN printf
 *   [...]
 */

[gojimmypi]

Jenkins retest this please

For AgentOfflineException: Unable to create live FilePath for wolf-linux-cloud-node-[n]; wolf-linux-cloud-node-[n] was marked offline: Connection was broken