1

(1 replies, posted in wolfSSL)

I am working on the server side of a system that uses WolfSSL on the client. Another engineer is building the client.  We have a 3-cert chain, A->B->C where A is  the root, B the intermediate, and C the server cert.  The root cert A.pem is installed on the client device.  My server (AWS Elastic Load Balancer or ELB) sends the certificate C.pem followed by B.pem in accordance with RFC 4346/8446

certificate_list
      This is a sequence (chain) of X.509v3 certificates.  The sender's
      certificate must come first in the list.  Each following
      certificate must directly certify the one preceding it.  Because
      certificate validation requires that root keys be distributed
      independently, the self-signed certificate that specifies the root
      certificate authority may optionally be omitted from the chain,
      under the assumption that the remote end must already possess it
      in order to validate it in any case.

I am told that WolfSSL cannot verify this chain because it must receive B.pem before C.pem.    My question is: why is that?  Is there a configuration in WolfSSL that can accomodate C.pem before B.pem?   ELB has not way (at least I can't find it) for me to tell it to send B.pem before C.pem.

TIA.