You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → wolfSSL → wolfSSL verification of cert chain
I have a few basic questions about wolfSSL
How can it verify a cert chain, if I only specify a CA cert? From where does it get intermediate certs from? (like intermediate CAs)?
Also related to this, assuming I just use OCSP stapling (not V2), and assuming I have a cert chain, does wolfSSL receive and verify an OCSP response for the immediate parent in the chain?
Based on my understanding of the SSL protocol and the wolfSSL behavior (https://www.wolfssl.com/wolfSSL/Docs-wo … cates.html), it seems that we only need the root CA.
However, at this point, I am guessing that for normal OCSP stapling (not v2), the OCSP response that wolfSSL will receive and verify would pertain to the SSL host it is connecting to. Is this understanding correct?
Correct, you only need the root CA. The other intermediate signers should be in the certificate chain with the peer certificate.
For OCSP stapling, the client should be getting the OCSP response record, signed by the root CA (or its delegate), during the handshake. The OCSP response should be for the server's certificate. (And the response should be the same blob of data you would get if you requested the status directly from the OCSP service listed in the peer's certificate.)
wolfSSL - Embedded SSL Library → wolfSSL → wolfSSL verification of cert chain
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.016 seconds (89% PHP - 11% DB) with 11 queries