Giters

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!

Home Page:https://www.wolfssl.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Suggestion] Consider defaulting WOLFSSL_ALT_CERT_CHAINS to ON ( Failed to verify CA from chain error )

RipleyTom opened this issue · comments

commented

Version

v5.6.6

Description

Recently Cloudflare changed their certificates(https://blog.cloudflare.com/upcoming-lets-encrypt-certificate-chain-change-and-impact-for-cloudflare-customers). This resulted in:

E NET: WOLFSSL: 1 : No CA signer to verify with
E NET: WOLFSSL: 1 : Failed to verify CA from chain
E NET: WOLFSSL: 0 : wolfSSL error occurred, error = -188
E NET: WOLFSSL: 2 : wolfSSL Entering SendAlert
E NET: WOLFSSL: 1 : SendAlert: 48 unknown_ca

The default certificate chain fails on "ISRG Root X1" referencing old DST X3 certificate which are not on modern trust stores and are not in the chain(Cloudflare does this for backward compatibility with older devices having the DST X3 certificate in their trust store).

Enabling WOLFSSL_ALT_CERT_CHAINS fixes this as other chains are valid.
It took me a while to figure out and I thought it'd both be useful to post here if anyone else has the issue and to suggest setting it to ON by default as Cloudflare is a bit too big to have a ssl library fail with default config to connect to it?

commented

Thank you for the suggestion. We are doing this. See #7317

commented

Hi @RipleyTom ,

Please see the final comment in #7317 . Unfortunately, I've abandoned the effort due to memory requirement side effects. Of course this issue will remain in our issues log so people might be able to find it and learn your solution.

I will now close this issue.

Warm regards, Anthony