Topic: retry certificate validation without openssl

As a client I'm trying to validate a certificate chain and if it fails I use a callback to do some of my own validation on the root certificate.

I'm using wolfSSL_CTX_set_verify to setup my callback and i'm using wolfSSL_setCertCbCtx to pass in my own arguments in order to perform some minor validation of the root cert and if it matches what I want then I load specific cert from the system or a buffer.

I don't want to use any openssl compatibility code so I'm not using OPENSSL_ALL, OPENSSL_EXTRA, etc. and thus I can't use wolfSSL_X509_verify_cert.

Is there a way to have wolfssl attempt to re-validate the chain now that I have loaded a cert into my ssl context?

Share

Re: retry certificate validation without openssl

Hi smith.jhn182,

Thanks for reaching out to wolfSSL!

You can re-validate a peer cert in a callback function.

But you would need to configure with OPENSSL_EXTRA.

See an example at https://github.com/wolfSSL/wolfssl-exam … back.c#L55

Please let me know if you run into any issues.

Thanks,
Tesfa

Share

Re: retry certificate validation without openssl

Thanks,

I think I managed what I needed by using the CertManager and DecodedCert functions

Share