X509 certificate parse error with IoT device

Hi,

I am trying to connect to an IoT device (wallbox) that requires an TLS websocket connection on the local network using self-signed certificates. Sadly this fails with the following error:

http: TLS handshake error from 192.168.1.146:48934: tls: failed to parse client certificate: x509: invalid basic constraints b

There is no way to get a change of the certificate, this is a big brand with thousands of devices rolled out all having self-signed certificates resulting in this error.

Does anyone have a hint on how to get this working?

Please let me know if there is more information needed.

Thanks,
Andreas

P.S.: This is the openssl output for the cert:

openssl s_client -showcerts -connect 192.168.1.146:4712
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = EEBUS, O = EVBox Intelligence, C = NL
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = EEBUS, O = EVBox Intelligence, C = NL
verify return:1
8005FF0401000000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1584:SSL alert number 40
---
Certificate chain
 0 s:CN = EEBUS, O = EVBox Intelligence, C = NL
   i:CN = EEBUS, O = EVBox Intelligence, C = NL
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Jan 29 18:39:40 2022 GMT; NotAfter: Jan 24 18:39:40 2042 GMT
-----BEGIN CERTIFICATE-----
MIIBtDCCAVmgAwIBAgIBATAKBggqhkjOPQQDAjA6MQ4wDAYDVQQDDAVFRUJVUzEb
MBkGA1UECgwSRVZCb3ggSW50ZWxsaWdlbmNlMQswCQYDVQQGEwJOTDAeFw0yMjAx
MjkxODM5NDBaFw00MjAxMjQxODM5NDBaMDoxDjAMBgNVBAMMBUVFQlVTMRswGQYD
VQQKDBJFVkJveCBJbnRlbGxpZ2VuY2UxCzAJBgNVBAYTAk5MMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAEuYapdEza5A/g5+aljzd0JXSo7OfyvBKgMgKpfc9tSM5C
CY1woaO8ihWKgnOk2iuq2YvIRMVgDN9lTiNK50a3TaNQME4wDAYDVR0TBAUwAwEB
ATAdBgNVHQ4EFgQUx/r18u3TEx4PLoZJ44mDxiCIbeYwHwYDVR0jBBgwFoAUx/r1
8u3TEx4PLoZJ44mDxiCIbeYwCgYIKoZIzj0EAwIDSQAwRgIhAN91bwc22V0E4WHT
HE3lRUsQ6KwNzMGigMQfDfQH/MtuAiEArwQ1VG7oPlFEzGAXOjPWux3qA+lnvsol
YGo6XJY43lI=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = EEBUS, O = EVBox Intelligence, C = NL
issuer=CN = EEBUS, O = EVBox Intelligence, C = NL
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 790 bytes and written 475 bytes
Verification error: self-signed certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-SHA256
    Session-ID: B5C6E2E44D78B195EE6D9A740FF7F17CABA167CA415E091C1A893A1B3B310A9B
    Session-ID-ctx:
    Master-Key: E960CB2488E8F0E39014833C7FB6A5A925FF4EDC1AF96B20B09506CF9774D8CF495AE2DC42AD0B86F31E2874BDA081BE
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1654200840
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: yes
---
1 Like

We found a “fix”. Wenn adding the handling of value 0x1 as true by adding

	case 1:
		*out = true

in go/asn1.go at master · golang/go · GitHub the certificate would be accepted.

Is this something can could be considered to be added? How could I approach that?

2 Likes

Hi,

I’m having the same issue and just opened a proposal to change this: proposal: x/crypto: decode ASN.1 BOOLEAN 0x01 as true when validating certificate basic constraints · Issue #53932 · golang/go · GitHub

Let’s see how it is received. :slight_smile: