CA certificate issues - X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN

Hi all,

EDIT: we found the HTTPS server uses SNI (Server Name Indication), i.e., it has several certificates for the same IP. However, the Sierra’s security API doesn’t provide any parameter to specify the server name, does it?

We are trying to connect with two HTTPS servers, namely S1 and S2. To do so, we call wip_SSLInitOpts() with the root CA certificate (WIP_COPT_CERT_AUTHORITY).

We get the CA certificates of S1 and S2 exporting them with a browser.

The connection with S1 is successfully stablished but the connection with S2 is not (X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN).

After capturing the SSL data with Wireshark we can see the following:

  • Server S1 sends the complete certificate chain: server, intermediate and root certificate.
  • Server S2 sends send only the server and intermediate certificates.

The root certificate the browser uses in the second case is the one stored in its database (built-in object token).

According to the standard, the server doesn’t have to send the root certificate. Is there any limitation with the Sierra’s security library in that case?

Any ideas will be welcome.

Our HW:

Q268X (Q2687RD)

Our SW:

Bootloader: V10c05
Modem Firmware: 201306260837
Firmware: 7.52.0.201404040850
Internet library Packate: 5.56.0.201305170830
Security Library Package: 2.2.0.201306261000

Thank you,

Hi,
As far as I know Sierra SSL library supports only one SSL socket at a time.

-Alex

Hi,

thanks for your reply.

I’ve implemented the HTTPS client (not the server), so I only need one socket.

I’ve done several tests with OpenSSL. I’ve successfully connected to the server via the following command:

openssl s_client -connect server:port -CAfile CAfile -nameserver server

The parameter “nameserver” activates the SNI extension and includes the server name in the Client-Hello packet. Then, the server knows what certificate it has to send. Please see the WireShark capture at the end of the post.

I’d need an analog way to do this with the wip_ssl library.

Thanks.