Support for System Certificate Store

In our recent wolfSSL v5.5.2 (Oct 28, 2022) release we added support for loading the system trusted certificates on several platforms. This makes it easier to leverage the operating system’s built-in trust mechanism for connecting to websites.

The support is enabled by default when using autoconf (./configure). The new option is “–enable-sys-ca-certs” or “#define WOLFSSL_SYS_CA_CERTS”.

The platforms supported and tested are:
Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL)
Apple Mac OS X / iOS
Windows 10/11
Android

To enable this feature we added an API “wolfSSL_CTX_load_system_CA_certs” to load these into our certificate manager.

To test, use our example client “examples/client/client” with the “–sys-ca-certs” argument to load the trusted certificates.

Example:

$ ./configure –enable-sys-ca-certs
$ make

$ ./examples/client/client -h www.google.com -p 443 –sys-ca-certs -g
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL curve name is SECP256R1
SSL connect ok, sending GET…
HTTP/1.0 200 OK
Date: Tue, 07 Mar 2023 22:05:41 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP=”This is not a P3P policy! See g.co/p3phelp for more info.”
Server: gws
X-XSS-Protection: 0
X-Fra

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.