Currently wolfSSL doesn't validate any certificates, quoting from README: wolfSSL takes a different approach to certificate verification than OpenSSL does. The default policy for the client is to verify the server, this means that if you don't load CAs to verify the server you'll get a connect error, no signer error to confirm failure (-188).
If you want to mimic OpenSSL behavior of having SSL_connect succeed even if verifying the server fails and reducing security you can do this by calling: wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); before calling wolfSSL_new();. Though it's not recommended. wolfSSL simply behaves differently then OpenSSL so once you set SSL_VERIFY_NONE wolfSSL doesn't care about the certificates anymore so every call to SSL_get_verify_result() is going to succeed (returns X509_V_OK) even for invalid certificates and current OpenSSL based post connection verification logic thus doesn't work. So in order to get the validation working we need to use SSL_VERIFY_PEER for wolfSSL by default and allow disabling it explicitly by new `context_set_require_validation()` call. Fixes: FS#3465 Signed-off-by: Petr Štetiar <[email protected]> --- uclient-fetch.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/uclient-fetch.c b/uclient-fetch.c index bbf5eec58d71..958f75618194 100644 --- a/uclient-fetch.c +++ b/uclient-fetch.c @@ -591,6 +591,8 @@ int main(int argc, char **argv) switch (longopt_idx) { case L_NO_CHECK_CERTIFICATE: verify = false; + if (ssl_ctx) + ssl_ops->context_set_require_validation(ssl_ctx, verify); break; case L_CA_CERTIFICATE: has_cert = true; _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
