1 (edited by sapi01 2021-06-21 02:38:27)

Topic: How to make wolfSSL use trusted root CA for TLS clients

Hi, I'm currently testing out the `wolfssl-examples/tls/client-tls.c` code.

On this line, https://github.com/wolfSSL/wolfssl-exam … ls.c#L110, I can see that you're using `wolfSSL_CTX_load_verify_locations` to load a CA certificate. I guess, in this case, it's a self-signed CA because you're using the certificates signed by the CA pointed by `CERT_FILE`(from the Doxygen Documentation).

But how can I make wolfSSL TLS clients use the trusted root CAs located in `/etc/ssl/certs` for example when I try to connect to servers like Google or something which uses trusted certs (not the self-signed CA which I give in `wolfSSL_CTX_load_verify_locations`. When I removed the lines 110 - 115(https://github.com/wolfSSL/wolfssl-examples/blob/master/tls/client-tls.c#L110-L115) and tried to connect to an SSL server that uses a Let's Encrypt or DigiCert, it fails to connect.

I've limited experience with wolfSSL, I'd be helpful if someone could tell me how to make wolfSSL TLS clients use the trusted CAs.

Share

Re: How to make wolfSSL use trusted root CA for TLS clients

Hello sapi01,

You'll want to build the library with the option "WOLFSSL_ALT_CERT_CHAINS".

src/internal.c

* WOLFSSL_ALT_CERT_CHAINS:
*     Allows CA's to be presented by peer, but not part of a valid chain.
*     Default wolfSSL behavior is to require validation of all presented peer
*     certificates. This also allows loading intermediate CA's as trusted
*     and ignoring no signer failures for CA's up the chain to root.

Thanks,
Eric @ wolfSSL Support