Topic: Does wolfSSL embedded ssl allow Certificate chain inspection?


      2007-02-21 10:43:05 UTC

      Does yaSSL (or wolfSSL) allow the certificate chain to be inspected when verification fails? This is needed for a web browser's* invalid certificate query box (which asks the user to inspect the certificate chain, in the event of failed verification, and accept or reject the certificate).

      Also, is it possible to determine where verification failed, so that the problem could be highlighted for the user by the web browser?

      If these facilities are not available, are they planned for future releases?

      * NetSurf -

      Best regards,

      Michael Drake
      touskaProject Admin

      2007-02-22 22:40:45 UTC
      Hi Michael,

      I'll have to add a callback to allow the user the option to approve of the chain when encountering an error. Currently the verify mode can be set to VERIFY_PEER (on by default) or VERIFY_NONE. If VERIFY_PEER is on and the validation fails than an error code is returned, usually a date problem or no CA certificate to verify the chain.

      I know it's normal to allow users the option to use SSL w/o any verification but I'd try to avoid it if you can since you are basically giving up any guarantee of security at that point and might as well be using http.

      I'll reply to this post when I've added the callback and better chain inspection.