search

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
https://www.wolfssl.com
GNU General Public License v2.0
2.36k stars 834 forks source link

WOLFSSL_SYS_CA_CERTS incorrectly disabled when WOLFSSL_FILESYSTEM=OFF #8152

Open redbaron opened 2 weeks ago

redbaron commented 2 weeks ago

Version

5.7.4

Description

When compiling with:

cmake -DWOLFSSL_SYS_CA_CERTS=ON -DWOLFSSL_FILESYSTEM=OFF it incorrectly disables SYS_CA feature even on platforms where system CA are accessed without invoking any file API (Apple and Windows) .

kareem-wolfssl commented 2 weeks ago

Hi redbaron,

It looks like we are tying NO_FILESYSTEM to WOLFSSL_SYS_CA_CERTS specifically for wolfSSL_CTX_set_default_verify_paths, which does require a filesystem. But it looks like the other system CA cert APIs could still work without a filesystem, I will continue looking into this to confirm. Can you elaborate on your use case? Are you building for a Windows/Apple system that has no filesystem, or are you just wanting to disable our filesystem support despite having a filesystem?

redbaron commented 2 weeks ago

Yes, we build wolfs on platforms where there is no direct filesystem access, but would like to build it with similar flags across all of them , because no FS access features are required.

There is a wolfSSL_CTX_load_system_CA_certs which would be good to have working on platforms where it can work without changing wolfSSL configuration options so that we build it the same across all platforms we use it on. Currently this function is disabled if filesystem feature is disabled. That function is not just quality of life, it is essential on platforms like iOS where it enables cert validation using system crypto framework . That validation doesn't use filesystem and therefore shouldn't depend on it.