[Ovmsdev] TLS CA question

[Stephen Casner]

I find that I need to enable the following option in my testing of the
possible replacement of MEDTLS with WolfSSL, otherwise I get an "ASN
no signer to confirm" error:

    WOLFSSL_ALT_CERT_CHAIN allows CA's to be presented by peer, but
    not part of a valid chain. Default wolfSSL behavior is to require
    validation of all presented peer certificates. This also allows
    loading intermediate CA's as trusted and ignoring no signer
    failures for CA's up the chain to root. The alternate certificate
    chain mode only requires that the peer certificate validate to a
    trusted CA.

Is that expected for the trust arrangements we are using?

A possibly related question: do we expect the server to validate
clients, or only the clients to validate the server?

                                                        -- Steve