What site (and port) are you trying to access?
On 4 Mar 2021, at 12:09 PM, Stephen Casner <casner@acm.org> wrote:
Mark,
Thanks for that reply. As I mentioned, if I don't configure WOLFSSL_ALT_CERT_CHAIN then I get an "ASN no signer to confirm" error. Do you have any idea why that might be? That is, am I likely to be missing access to some key? Of some key not being present in a cert when it should be there?
-- Steve
On Thu, 4 Mar 2021, Mark Webb-Johnson wrote:
Steve,
A thorny issue. Servers are _supposed_ to provide intermediate certificates, up to a trusted root. When you are issued a certificate, it includes a bundle of these intermediary certificates to be installed at the same time. In practice, servers are often mis-configured so they do not. This is made worse by browsers silently detecting this, then downloading the missing intermediate certificates (the child certificate contains a URL to its parent's cert).
For Open Vehicles, I don't think we need to deal with this, and we certainly don't need the complexity of automatically downloading intermediate certificates. I think if the user wants to access a server misconfigured in that way, he can simply import and trust the intermediate certificate directly.
I don't think we should set WOLFSSL_ALT_CERT_CHAIN.
Regarding your question, in normal operation OVMS as a client must validate the server certificates it connect to. I don't think OVMS currently supports client certificates, although if it did we would have to correctly provide those to the server on connection.
Regards, Mark.
On 4 Mar 2021, at 9:00 AM, Stephen Casner <casner@acm.org> wrote:
I find that I need to enable the following option in my testing of the possible replacement of MEDTLS with WolfSSL, otherwise I get an "ASN no signer to confirm" error:
WOLFSSL_ALT_CERT_CHAIN allows CA's to be presented by peer, but not part of a valid chain. Default wolfSSL behavior is to require validation of all presented peer certificates. This also allows loading intermediate CA's as trusted and ignoring no signer failures for CA's up the chain to root. The alternate certificate chain mode only requires that the peer certificate validate to a trusted CA.
Is that expected for the trust arrangements we are using?
A possibly related question: do we expect the server to validate clients, or only the clients to validate the server?
-- Steve _______________________________________________ OvmsDev mailing list OvmsDev@lists.openvehicles.com http://lists.openvehicles.com/mailman/listinfo/ovmsdev
_______________________________________________ OvmsDev mailing list OvmsDev@lists.openvehicles.com http://lists.openvehicles.com/mailman/listinfo/ovmsdev
OvmsDev mailing list OvmsDev@lists.openvehicles.com http://lists.openvehicles.com/mailman/listinfo/ovmsdev