1 Reply by sf36266

(5 replies, posted in wolfSSL)

As an example, a connection to mail.google.com receives a chain with 3 certificates:
(1) server cert from the google server (www.google.com) This is signed from
(2) Thawte SGC CA, which is signed from
(3) Verisign PCA3 G1 SHA1 (root ca)

The last cert (Verisign) is loaded with CyaSSL_CTX_load_verify_buffer(). It is not possible  (on my evaluation environment) with cyassl to verify this chain. Google uses a very common cert handling, cyassl should support at least such a chain, too. Means, cyassl should check the root ca against the cert in the local ca list, verify and accept the thawte cert with the verisign cert, finally verify and accept the google cert with the thawte cert.
In DoCertificate(), the certs are decoded and checked in received order (first google,  thawte, last verisign). Check on google fails (thawte not yet accepted), therefore, verification also fails. I had a look to 1.8.0, cannot find a better solution there.

Regards,
Frank

Go to forum: wolfSSL

2 Topic by sf36266

(5 replies, posted in wolfSSL)

Hi,

while integrating and testing cyassl 1.6.5 into a non OS environment, a problem with chain verification was found: it simply does not work. Searching the net shows the following old thread
 
http://sourceforge.net/projects/yassl/f … ic/3752835

which describes exactly the same problem (wrong implementation for RFC3280). My implementation needs this chain verification by default. Is there any news or already a implementation for this feature in the embedded SSL library?

Regards;
Frank

Go to forum: wolfSSL