EDIT: we found the HTTPS server uses SNI (Server Name Indication), i.e., it has several certificates for the same IP. However, the Sierra’s security API doesn’t provide any parameter to specify the server name, does it?
We are trying to connect with two HTTPS servers, namely S1 and S2. To do so, we call wip_SSLInitOpts() with the root CA certificate (WIP_COPT_CERT_AUTHORITY).
We get the CA certificates of S1 and S2 exporting them with a browser.
The connection with S1 is successfully stablished but the connection with S2 is not (X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN).
After capturing the SSL data with Wireshark we can see the following:
- Server S1 sends the complete certificate chain: server, intermediate and root certificate.
- Server S2 sends send only the server and intermediate certificates.
The root certificate the browser uses in the second case is the one stored in its database (built-in object token).
According to the standard, the server doesn’t have to send the root certificate. Is there any limitation with the Sierra’s security library in that case?
Any ideas will be welcome.
Modem Firmware: 201306260837
Internet library Packate: 184.108.40.206305170830
Security Library Package: 220.127.116.11306261000