this example we want to test Deffie Hellman on random server
exactly this : DH-RSA-AES128-GCM-SHA256
we use this command line and we see wireshark :
openssl s_client -cipher DH -connect yoursite.com:443 -msg -debug treadmills.

amirmaim wrote:

Thanks Bitgid, but I've seen this manual and the answer to my question is not there.

to clarify: assuming we have 3 certificates A->B->C (A signed B, B signed C), where A is self-signed certificate, is there a way to load B as the my trust anchor, and allow WOLFSSL to authenticate C only with B (that is, without self-signed certificate)?

this behavior will be equivalent to OPENSSL with "partial_chain" flag.

anyway, thanks!


Oh,ok.I will try search more infor for you!

amirmaim wrote:


OPENSSL provide the flag "partial_chain" that allow non self signed certificates to be used as CA, and verify certificates signed by one of those non self signed CA certificates. also, with "partial_chain" a non self signed CA can verify itself (which I'm not sure that is a private case of the partial chain verification rule).

is there a similar behavior supported by WOLFSSL? I'm looking for partial chain verification, self-verification, or both.

I know there is possibility to overwrite the verification result with verify_cb mechanism but I want to use WOLFSSL verification schemes. maybe I can call relevant WOLFSSL function from inside my verify_cb?



without the flag, OPENSSL return "unable to get local issuer certificate". WOLFSSL return -188 (ASN_NO_SIGNER_E).

Check out this manual.
There are several good and useful answers.
And a special thank to Bitcohen.
Regards BG!