[Ovmsdev] TLS CA question

Mark Webb-Johnson mark at webb-johnson.net
Thu Mar 4 12:22:51 HKT 2021 

What site (and port) are you trying to access?

> On 4 Mar 2021, at 12:09 PM, Stephen Casner <casner at acm.org> wrote:
> 
> Mark,
> 
> Thanks for that reply.  As I mentioned, if I don't configure
> WOLFSSL_ALT_CERT_CHAIN then I get an "ASN no signer to confirm"
> error.  Do you have any idea why that might be?  That is, am I likely
> to be missing access to some key?  Of some key not being present in a
> cert when it should be there?
> 
>                                                        -- Steve
> 
> On Thu, 4 Mar 2021, Mark Webb-Johnson wrote:
> 
>> Steve,
>> 
>> A thorny issue. Servers are _supposed_ to provide intermediate certificates, up to a trusted root. When you are issued a certificate, it includes a bundle of these intermediary certificates to be installed at the same time.  In practice, servers are often mis-configured so they do not. This is made worse by browsers silently detecting this, then downloading the missing intermediate certificates (the child certificate contains a URL to its parent's cert).
>> 
>> For Open Vehicles, I don't think we need to deal with this, and we certainly don't need the complexity of automatically downloading intermediate certificates. I think if the user wants to access a server misconfigured in that way, he can simply import and trust the intermediate certificate directly.
>> 
>> I don't think we should set WOLFSSL_ALT_CERT_CHAIN.
>> 
>> Regarding your question, in normal operation OVMS as a client must validate the server certificates it connect to. I don't think OVMS currently supports client certificates, although if it did we would have to correctly provide those to the server on connection.
>> 
>> Regards, Mark.
>> 
>>> On 4 Mar 2021, at 9:00 AM, Stephen Casner <casner at acm.org> wrote:
>>> 
>>> I find that I need to enable the following option in my testing of the
>>> possible replacement of MEDTLS with WolfSSL, otherwise I get an "ASN
>>> no signer to confirm" error:
>>> 
>>>   WOLFSSL_ALT_CERT_CHAIN allows CA's to be presented by peer, but
>>>   not part of a valid chain. Default wolfSSL behavior is to require
>>>   validation of all presented peer certificates. This also allows
>>>   loading intermediate CA's as trusted and ignoring no signer
>>>   failures for CA's up the chain to root. The alternate certificate
>>>   chain mode only requires that the peer certificate validate to a
>>>   trusted CA.
>>> 
>>> Is that expected for the trust arrangements we are using?
>>> 
>>> A possibly related question: do we expect the server to validate
>>> clients, or only the clients to validate the server?
>>> 
>>>                                                       -- Steve
>>> _______________________________________________
>>> OvmsDev mailing list
>>> OvmsDev at lists.openvehicles.com
>>> http://lists.openvehicles.com/mailman/listinfo/ovmsdev
>> 
>> _______________________________________________
>> OvmsDev mailing list
>> OvmsDev at lists.openvehicles.com
>> http://lists.openvehicles.com/mailman/listinfo/ovmsdev
> _______________________________________________
> OvmsDev mailing list
> OvmsDev at lists.openvehicles.com
> http://lists.openvehicles.com/mailman/listinfo/ovmsdev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvehicles.com/pipermail/ovmsdev/attachments/20210304/7fd352d1/attachment.htm>

More information about the OvmsDev mailing list