Trust Self Signed Certificates

[aimproxy]

My server does not require send the client certificates, but I should accept the peer certificates from the server, the server gives me two self signed certs, one CA, and a KEY. My question is how I can accept/validate this certs?

Thx in advante

[kaleb-himes]

@aimproxy,

Hope you found the solution to this, the short answer is assuming your server will send a cert chain consisting of a root ca (self-signed) and an entity cert (also referred to as a "leaf" cert) you would have the server load the leaf cert and it can actually leave-off the root ca since the client has to have a copy to verify the leaf cert the root CA is optional for the server to send.

Then on the client side load the root-ca that signed the leaf cert with wolfSSL_CTX_load_verify_locations(); (or the wolfSSL_CTX_load_verify_buffer(); equivalent) so the client can verify the leaf cert it receives during the connection.

If your server is truely sending two self-signed certs it is probably mis-configured. If your server sends a single self-signed cert AS the leaf cert then load the same self-signed cert in both the client and server.

Regards,

K

[aimproxy]

@kaleb-himes

I'm trying to connect to a iRobot Roomba e5, she returns a CA cert and another cert, it's only the information Wireshark gives to me.

I setup this line, to not verify peer certs: wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);

My code doesn't work yet, cause I need send a packet over the TLS, so I'm trying to implement a buffer to do so. Not with to much success, I'm new into this :/

[aimproxy]

@kaleb-himes

I will give a little more context to you, I need to get a blid and a password from my roomba. Well the blid I allready got into with sockets in C, I just sent a DGRAM with a buffer, which constains the follow string irobotmcs, the robots reponds normally. if i'm not explaining what i did very well, please check my github code: https://github.com/roombavacuum/libroomba

So, now I need to get the password, this is whats I know about the Roomba:

Ciphers: AES1238-SHA256
Packet to send to get the psw: f005efcc3b2900
The robot sends one root CA cert and another cert

 # this is 0xf0 (mqtt reserved) 0x05(data length)
 # 0xefcc3b2900 (data)
 [0]    240 byte // mqtt           0xf0
 [1]    5   byte // message length 0x05
 [2]    239 byte // message        0xef
 [3]    204 byte // message        0xcc
 [4]    59  byte // message        0x3b
 [5]    41  byte // message        0x29
 [6]    0   byte // message        0x00 - Based on errors returned, this seems like its a response flag, where 0x00 is OK, and 0x03 is ERROR

char packet[] = { 0xf0, 0x05, 0xef, 0xcc, 0x3b, 0x29, 0x00 };

To do that I setup a client to connect, write the packet and waiting to response. But for some reason I'm not able to get a reply from the server. I put wireshark to listen to the network, but the conn is not reseted anywhere. I don't know whats to do, I am a little bit lost. I u wanna take a look at the code to get the password let me know.

[aimproxy]

[aimproxy]

I finished by find the solution by my self, I just did this:

int always_true_callback(int preverify, WOLFSSL_X509_STORE_CTX* store)
{
    (void)preverify;
    return 1;
}

/* No validate peer cert */
wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, always_true_callback);

And it works just fine Thanks for your help anyaway 👍