Topic: Server-sent legacy intermediate certificates

Hi,

Does wolfSSL support something similar to OpenSSL's X509_V_FLAG_TRUSTED_FIRST key to be able to verify alternative certificate chains?

Risto

Share

Re: Server-sent legacy intermediate certificates

Hi Risto,

We don't currently have an option/flag similar to that.  Can you tell me what's driving your question?

Thanks,
Chris

Re: Server-sent legacy intermediate certificates

Hi,

my problem is with outdated certificate chains.

For example login.live.com:443 returns the following certificate chain:

 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/OU=Passport/CN=login.live.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

In OS X 10.11 the CA root "Class 3 Public Primary Certification Authority" certificate is being removed because OS X El Capitan will not connect to a server that allows negotiation with a 512-bit or smaller group. However there is a self signed root CA in the cert store by the same name and with the same public key as the last certificate sent in the chain "VeriSign Class 3 Public Primary Certification Authority - G5". OpenSSL's X509_V_FLAG_TRUSTED_FIRST key makes it possible not to verify the whole chain and finds out that there is already a self signed CA in the store and uses this one for verification. Same applies to different SSL stack implementation and that's why browsers for example are able to connect to the server. There's a better description in StackOverflow: http://stackoverflow.com/questions/3006 … -to-verify

Share