wolfssl icon indicating copy to clipboard operation
wolfssl copied to clipboard

Published 20 hours ago verified publisher icon wolfSSL

WOLFSSL_SYS_CA_CERTS incorrectly disabled when WOLFSSL_FILESYSTEM=OFF

Open redbaron opened this issue 1 year ago • 2 comments
trafficstars

Version

5.7.4

Description

When compiling with:

cmake -DWOLFSSL_SYS_CA_CERTS=ON -DWOLFSSL_FILESYSTEM=OFF it incorrectly disables SYS_CA feature even on platforms where system CA are accessed without invoking any file API (Apple and Windows) .

redbaron avatar Nov 06 '24 14:11 redbaron

Hi redbaron,

It looks like we are tying NO_FILESYSTEM to WOLFSSL_SYS_CA_CERTS specifically for wolfSSL_CTX_set_default_verify_paths, which does require a filesystem. But it looks like the other system CA cert APIs could still work without a filesystem, I will continue looking into this to confirm. Can you elaborate on your use case? Are you building for a Windows/Apple system that has no filesystem, or are you just wanting to disable our filesystem support despite having a filesystem?

kareem-wolfssl avatar Nov 07 '24 00:11 kareem-wolfssl

Yes, we build wolfs on platforms where there is no direct filesystem access, but would like to build it with similar flags across all of them , because no FS access features are required.

There is a wolfSSL_CTX_load_system_CA_certs which would be good to have working on platforms where it can work without changing wolfSSL configuration options so that we build it the same across all platforms we use it on. Currently this function is disabled if filesystem feature is disabled. That function is not just quality of life, it is essential on platforms like iOS where it enables cert validation using system crypto framework . That validation doesn't use filesystem and therefore shouldn't depend on it.

redbaron avatar Nov 07 '24 10:11 redbaron