Topic: Order of certificate in chain

I am working on the server side of a system that uses WolfSSL on the client. Another engineer is building the client.  We have a 3-cert chain, A->B->C where A is  the root, B the intermediate, and C the server cert.  The root cert A.pem is installed on the client device.  My server (AWS Elastic Load Balancer or ELB) sends the certificate C.pem followed by B.pem in accordance with RFC 4346/8446

certificate_list
      This is a sequence (chain) of X.509v3 certificates.  The sender's
      certificate must come first in the list.  Each following
      certificate must directly certify the one preceding it.  Because
      certificate validation requires that root keys be distributed
      independently, the self-signed certificate that specifies the root
      certificate authority may optionally be omitted from the chain,
      under the assumption that the remote end must already possess it
      in order to validate it in any case.

I am told that WolfSSL cannot verify this chain because it must receive B.pem before C.pem.    My question is: why is that?  Is there a configuration in WolfSSL that can accomodate C.pem before B.pem?   ELB has not way (at least I can't find it) for me to tell it to send B.pem before C.pem.

TIA.

Share

Re: Order of certificate in chain

Hi rndtk9,

The certificate chain presented by peer should have server cert first, then intermediates, then root.

From src/ssl.c line 4779:

/* Chain should have server cert first, then intermediates, then root.
* First certificate in chain is processed below after ProcessUserChain
*   and is loaded into ssl->buffers.certificate.
* Remainder are processed using ProcessUserChain and are loaded into
*   ssl->buffers.certChain. */

Thanks,
David Garske, wolfSSL

Share