1 (edited by rpzrpzrpz 2012-11-16 08:45:29)

Topic: Dynamic Certs Validation Skipping

ChrisC - You ROCK!  Thanks for the SUPER FAST reply from my earlier post.

I was able to have the client verify the server using the CA crt files.

This situation is where there are valid signed certificates on HTTPS servers on the internet
and I want to validate them on the client. 

Is there any way to have the clients automatically download CA certs or would this
be inherently non secure?  (Web browsers, SSH, etc, all seem to be able to download a cert as long as you accept the MD5 fingerprint)

wolfSSL_CTX_load_verify_locations( ) is for CA certificate file loading for client validation of server certificates.

Which call is the equivalent to this call for memory buffers instead of file based CA cert?

Thanks for any reply,

md

Share

Re: Dynamic Certs Validation Skipping

Hi md,

Is there any way to have the clients automatically download CA certs or would this
be inherently non secure?  (Web browsers, SSH, etc, all seem to be able to download a cert as long as you accept the MD5 fingerprint)

You may be able to do this, yes - but it would need to be done in your application code.  CyaSSL doesn't currently provide a way to download CA certificates of specified HTTPS servers.  You are able to pass a directory path into the wolfSSL_CTX_load_verify_locations() function, where wolfSSL embedded SSL would then load all certificates in the directory as trusted root certificates.

Which call is the equivalent to this call for memory buffers instead of file based CA cert?

The equivalent call for loading from memory buffers is wolfSSL_CTX_load_verify_buffer(), referenced here: http://yassl.com/yaSSL/Docs-cyassl-manu … rence.html

Best Regards,
Chris