4 Mar
2021
4 Mar
'21
9 a.m.
I find that I need to enable the following option in my testing of the possible replacement of MEDTLS with WolfSSL, otherwise I get an "ASN no signer to confirm" error:
WOLFSSL_ALT_CERT_CHAIN allows CA's to be presented by peer, but
not part of a valid chain. Default wolfSSL behavior is to require
validation of all presented peer certificates. This also allows
loading intermediate CA's as trusted and ignoring no signer
failures for CA's up the chain to root. The alternate certificate
chain mode only requires that the peer certificate validate to a
trusted CA.Is that expected for the trust arrangements we are using?
A possibly related question: do we expect the server to validate clients, or only the clients to validate the server?
-- Steve