CC3220SF-LAUNCHXL: ASN no signer to confirm failure

Matt Strong

I'm using the HTTPS client from the AWS IoT SDK plugin as mentioned in this thread

I'm attempting to connect to an AWS server that uses their starfield root ca. However, the connect function returns a ssl error -688 SL_ERROR_BSD_ESEC_ASN_NO_SIGNER_E.

I tried to search for an answer to this issue and it seems like wolfssl may need to be configured with some different options depending on the RSA key size. Here is a link to that thread.

https://www.wolfssl.com/forums/topic423-cacertorgs-ca-cert-verify-failed-but-withdisablefastmath-it-works.html

I've tried to search around in the SDK, but i think wolfssl is built in as a library so it might not be so easy to modify.

over 7 years ago

0 Benjamin Moore over 7 years ago

TI__Mastermind 30780 points

Hi Matt,

This typically indicates that a certificate in the chain could not be verified, likely because the CA programmed in the filesystem is not the CA that signed the chain.

Try adding the SL_SSL_NOTIFICATION_WRONG_ROOT_CA case to the socket event handler. This can be used to get the Common Name of the CA root expected to verify the certificate by the device. Make sure this matches Starfield as you expect.

Refer to 7.7.1 in the Network Processor Programmer's Guide.

Best Regards,

Ben M

0 Matt Strong over 7 years ago in reply to Benjamin Moore

Intellectual 260 points

Thanks that helped me figure it out. AWS has two starfield root CAs and their trust repository website was saying it's a different root CA than it actually is. Once I figured out which one I needed, I was able to load that into the device and connect successfully.

Wi-Fi

Wi-Fi forum

CC3220SF-LAUNCHXL: ASN no signer to confirm failure