Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WOLFSSL_SYS_CA_CERTS incorrectly disabled when WOLFSSL_FILESYSTEM=OFF #8152

Open
redbaron opened this issue Nov 6, 2024 · 2 comments
Open
Assignees

Comments

@redbaron
Copy link
Contributor

redbaron commented Nov 6, 2024

Version

5.7.4

Description

When compiling with:

cmake -DWOLFSSL_SYS_CA_CERTS=ON -DWOLFSSL_FILESYSTEM=OFF it incorrectly disables SYS_CA feature even on platforms where system CA are accessed without invoking any file API (Apple and Windows) .

@kareem-wolfssl
Copy link
Contributor

Hi redbaron,

It looks like we are tying NO_FILESYSTEM to WOLFSSL_SYS_CA_CERTS specifically for wolfSSL_CTX_set_default_verify_paths, which does require a filesystem. But it looks like the other system CA cert APIs could still work without a filesystem, I will continue looking into this to confirm.
Can you elaborate on your use case? Are you building for a Windows/Apple system that has no filesystem, or are you just wanting to disable our filesystem support despite having a filesystem?

@redbaron
Copy link
Contributor Author

redbaron commented Nov 7, 2024

Yes, we build wolfs on platforms where there is no direct filesystem access, but would like to build it with similar flags across all of them , because no FS access features are required.

There is a wolfSSL_CTX_load_system_CA_certs which would be good to have working on platforms where it can work without changing wolfSSL configuration options so that we build it the same across all platforms we use it on. Currently this function is disabled if filesystem feature is disabled. That function is not just quality of life, it is essential on platforms like iOS where it enables cert validation using system crypto framework . That validation doesn't use filesystem and therefore shouldn't depend on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants