• larry
  • Moderator
  • Offline
  • Registered: 2010-10-21
  • Posts: 42

Topic: Verifying a certificate chain (from old forums)

#
Does wolfSSL embedded SSL support SSL_CTX_use_certificate_chain_file()? If not, how to verify a client's certificate that is signed by manufacturer's CA which was signed by a root certificate like VeriSign?

Thanks.

Peter
#
touskaProject Admin

[Avatar]
2007-01-18 18:49:17 UTC
yaSSL supports SSL_CTX_use_certificate_chaing_file(), but only if it follows the specifications in the man page, i.e.,

"The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA."

Does the actual client's certificate start the chain? If it doesn't, you'll need to call SSL_CTX_use_certificate_file() for each of the files in the chain that aren't the clients. That is, for Verisign and for the manufacturer's CA in your example.

Hope this helps,
Todd
#
touskaProject Admin

[Avatar]
2007-01-18 18:51:52 UTC
Correction: I was talking about wolfSSL supporting SSL_CTX_use_certificate_chain_file().

Todd
#
moises_phoebus

[Avatar]
2007-09-20 14:26:25 UTC
Hi,

I'm having problems with the certificates chain's verification too.

In the ParserCert() I’ve got a "CyaSSL error occurred, error = -155, ASN sign error, confirm failure"
I'm trying to verify a web site's certificate that is signed by "VeriSign Trust Network" that is an intermediate CA certificate signed by "VeriSign, Inc. Class 3 Public Primary Certification Authority".
#
touskaProject Admin

[Avatar]
2007-09-20 17:39:41 UTC
Hi,

You'll need to first load the root certificate, or at least have it first in the chain. In this case, the VeriSing, Inc. Class 3 one. wolfSSL doesn't load any trusted certificates by default, that's up to you. In the wolfSSL examples, the client loads ca-cert.pem as a trusted root and then verifies that the server's cert, server-cert.pem, is signed by a trusted root. You should be able to find the root on the web or export it from a browser.

Regards,
Todd
#
touskaProject Admin

[Avatar]
2007-09-20 17:43:38 UTC
Hi,

You'll also need to load the intermediate certificate "VeriSign Trust Network". Try doing that first.

Thanks,
Todd
#
moises_phoebus

[Avatar]
2007-09-21 11:24:49 UTC
I have only the VeriSing, Inc. Class 3 one.
#
touskaProject Admin

[Avatar]
2007-09-21 19:48:02 UTC
In order to properly verify it you'll need to load the other one as trusted as well. If your browser can get to the site then you should be able to export the certificate from your browser or find it on the Verisign site.
#
moises_phoebus

[Avatar]
2008-02-21 13:30:15 UTC
This is the situation that I have ...

(C1) +Class 3 Public Primary Certification Authority
|
(C2) +-+www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
|
(C3) +--bankline.itau.com.br

C1 is a root CA (certificate authority), C2 is a intermediate CA and C3 is the certificate of a website that I want to verify its authenticity so I can access it safely.

The only certificate I have to load as a trusted CA is C1, the problem is that the wolfSSL verify the certificate chain in a bottom up way, so, when it will check whether C3 is signed by a trusted authority, it does not recognize the signing of C2 as a signature reliable but if he has checked the identity of the C2 before, he would see that it is signed by C1 that is reliable.

Thus, the verification of the certificate chain should be top down, instead to be bottom up, because in recognizing C2 as a trusted CA, C2 should be added to the list of trusted authorities and C3 will be accepted as a trusted certificate.
#
touskaProject Admin

[Avatar]
2008-02-21 19:49:44 UTC
I believe you do need to load both C1 and C2, or at least C2. Without C2 there is no way to verify that C2 signed C3 or that C2 was signed by C1. If you look at your browser's certificates you'll see that most are non-root authorities.
#
moises_phoebus

[Avatar]
2008-02-22 11:27:59 UTC
In firefox and opera browsers i have C1 and don't have C2... and the certificate chain from C1 passing through C2 to verify C3 works
#
touskaProject Admin

[Avatar]
2008-02-22 20:10:47 UTC
If that's the case, then the server is sending C2 to you, otherwise, it's impossible to verify C3 without C2's public key.

I tried to verify this by going to https://bankline.itau.com.br but it redirected me to http://www.itau.com.br/. I also tried connecting on port 443, do you have a different url or ip address that I can test?

Thanks for the help.

#
moises_phoebus

[Avatar]
2008-02-29 13:16:33 UTC
https://bankline.itau.com.br/Wap/homewap.wml
or
https://200.246.143.202/Wap/homewap.wml

WML Browser extension for Firefox...
http://wmlbrowser.mozdev.org/

Share