What site (and port) are you trying to access?

On 4 Mar 2021, at 12:09 PM, Stephen Casner <casner@acm.org> wrote:

Mark,

Thanks for that reply.  As I mentioned, if I don't configure
WOLFSSL_ALT_CERT_CHAIN then I get an "ASN no signer to confirm"
error.  Do you have any idea why that might be?  That is, am I likely
to be missing access to some key?  Of some key not being present in a
cert when it should be there?

                                                       -- Steve

On Thu, 4 Mar 2021, Mark Webb-Johnson wrote:

Steve,

A thorny issue. Servers are _supposed_ to provide intermediate certificates, up to a trusted root. When you are issued a certificate, it includes a bundle of these intermediary certificates to be installed at the same time.  In practice, servers are often mis-configured so they do not. This is made worse by browsers silently detecting this, then downloading the missing intermediate certificates (the child certificate contains a URL to its parent's cert).

For Open Vehicles, I don't think we need to deal with this, and we certainly don't need the complexity of automatically downloading intermediate certificates. I think if the user wants to access a server misconfigured in that way, he can simply import and trust the intermediate certificate directly.

I don't think we should set WOLFSSL_ALT_CERT_CHAIN.

Regarding your question, in normal operation OVMS as a client must validate the server certificates it connect to. I don't think OVMS currently supports client certificates, although if it did we would have to correctly provide those to the server on connection.

Regards, Mark.

On 4 Mar 2021, at 9:00 AM, Stephen Casner <casner@acm.org> wrote:

I find that I need to enable the following option in my testing of the
possible replacement of MEDTLS with WolfSSL, otherwise I get an "ASN
no signer to confirm" error:

  WOLFSSL_ALT_CERT_CHAIN allows CA's to be presented by peer, but
  not part of a valid chain. Default wolfSSL behavior is to require
  validation of all presented peer certificates. This also allows
  loading intermediate CA's as trusted and ignoring no signer
  failures for CA's up the chain to root. The alternate certificate
  chain mode only requires that the peer certificate validate to a
  trusted CA.

Is that expected for the trust arrangements we are using?

A possibly related question: do we expect the server to validate
clients, or only the clients to validate the server?

                                                      -- Steve
_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev

_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev
_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev