Topic: Server-sent legacy intermediate certificates
Hi,
Does wolfSSL support something similar to OpenSSL's X509_V_FLAG_TRUSTED_FIRST key to be able to verify alternative certificate chains?
Risto
You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → wolfSSL → Server-sent legacy intermediate certificates
Hi,
Does wolfSSL support something similar to OpenSSL's X509_V_FLAG_TRUSTED_FIRST key to be able to verify alternative certificate chains?
Risto
Hi Risto,
We don't currently have an option/flag similar to that. Can you tell me what's driving your question?
Thanks,
Chris
Hi,
my problem is with outdated certificate chains.
For example login.live.com:443 returns the following certificate chain:
0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/OU=Passport/CN=login.live.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
In OS X 10.11 the CA root "Class 3 Public Primary Certification Authority" certificate is being removed because OS X El Capitan will not connect to a server that allows negotiation with a 512-bit or smaller group. However there is a self signed root CA in the cert store by the same name and with the same public key as the last certificate sent in the chain "VeriSign Class 3 Public Primary Certification Authority - G5". OpenSSL's X509_V_FLAG_TRUSTED_FIRST key makes it possible not to verify the whole chain and finds out that there is already a self signed CA in the store and uses this one for verification. Same applies to different SSL stack implementation and that's why browsers for example are able to connect to the server. There's a better description in StackOverflow: http://stackoverflow.com/questions/3006 … -to-verify
wolfSSL - Embedded SSL Library → wolfSSL → Server-sent legacy intermediate certificates
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.028 seconds (90% PHP - 10% DB) with 12 queries