Topic: Does wolfSSL embedded ssl allow Certificate chain inspection?
2007-02-21 10:43:05 UTC
Does yaSSL (or wolfSSL) allow the certificate chain to be inspected when verification fails? This is needed for a web browser's* invalid certificate query box (which asks the user to inspect the certificate chain, in the event of failed verification, and accept or reject the certificate).
Also, is it possible to determine where verification failed, so that the problem could be highlighted for the user by the web browser?
If these facilities are not available, are they planned for future releases?
* NetSurf - http://www.netsurf-browser.org/
2007-02-22 22:40:45 UTC
I'll have to add a callback to allow the user the option to approve of the chain when encountering an error. Currently the verify mode can be set to VERIFY_PEER (on by default) or VERIFY_NONE. If VERIFY_PEER is on and the validation fails than an error code is returned, usually a date problem or no CA certificate to verify the chain.
I know it's normal to allow users the option to use SSL w/o any verification but I'd try to avoid it if you can since you are basically giving up any guarantee of security at that point and might as well be using http.
I'll reply to this post when I've added the callback and better chain inspection.