[Ovmsdev] TLS CA question
casner at acm.org
Thu Mar 4 12:52:43 HKT 2021
Your server api.openvehicles.com on port 6870.
On Thu, 4 Mar 2021, Mark Webb-Johnson wrote:
> What site (and port) are you trying to access?
> > On 4 Mar 2021, at 12:09 PM, Stephen Casner <casner at acm.org> wrote:
> > Mark,
> > Thanks for that reply. As I mentioned, if I don't configure
> > WOLFSSL_ALT_CERT_CHAIN then I get an "ASN no signer to confirm"
> > error. Do you have any idea why that might be? That is, am I likely
> > to be missing access to some key? Of some key not being present in a
> > cert when it should be there?
> > -- Steve
> > On Thu, 4 Mar 2021, Mark Webb-Johnson wrote:
> >> Steve,
> >> A thorny issue. Servers are _supposed_ to provide intermediate certificates, up to a trusted root. When you are issued a certificate, it includes a bundle of these intermediary certificates to be installed at the same time. In practice, servers are often mis-configured so they do not. This is made worse by browsers silently detecting this, then downloading the missing intermediate certificates (the child certificate contains a URL to its parent's cert).
> >> For Open Vehicles, I don't think we need to deal with this, and we certainly don't need the complexity of automatically downloading intermediate certificates. I think if the user wants to access a server misconfigured in that way, he can simply import and trust the intermediate certificate directly.
> >> I don't think we should set WOLFSSL_ALT_CERT_CHAIN.
> >> Regarding your question, in normal operation OVMS as a client must validate the server certificates it connect to. I don't think OVMS currently supports client certificates, although if it did we would have to correctly provide those to the server on connection.
> >> Regards, Mark.
> >>> On 4 Mar 2021, at 9:00 AM, Stephen Casner <casner at acm.org> wrote:
> >>> I find that I need to enable the following option in my testing of the
> >>> possible replacement of MEDTLS with WolfSSL, otherwise I get an "ASN
> >>> no signer to confirm" error:
> >>> WOLFSSL_ALT_CERT_CHAIN allows CA's to be presented by peer, but
> >>> not part of a valid chain. Default wolfSSL behavior is to require
> >>> validation of all presented peer certificates. This also allows
> >>> loading intermediate CA's as trusted and ignoring no signer
> >>> failures for CA's up the chain to root. The alternate certificate
> >>> chain mode only requires that the peer certificate validate to a
> >>> trusted CA.
> >>> Is that expected for the trust arrangements we are using?
> >>> A possibly related question: do we expect the server to validate
> >>> clients, or only the clients to validate the server?
> >>> -- Steve
More information about the OvmsDev