Arm Mbed OS support forum

mbedTLS Certificate Chain Verification

I need help trying to use/configure mbedTLS for the following scenario:

I have two certificate chains: Root1 → Intermediate1 → End1 and Root2 → Intermediate2 → End2

I have combined the PEM certificates for Root1, Intermediate1, Root2, and Intermediate2 into a single buffer and was able to successfully parse them using mbedtls_x509_crt_parse (and verified the contents using mbedtls_x509_crt_info for each certificate in the chain). I then call mbedtls_ssl_conf_ca_chain to use the certificate chain

I also call mbedtls_ssl_conf_verify to specify a custom certificate verification function

When I initiate a TLS handshake with my test server, the server sends back its certificate (either End1 or End2 depending on which one I use for the test). Overall the TLS handshake completes successfully whether I use the End1 or End2 certificate. It seems however that mbedTLS is only verifying a chain consisting of either Intermediate1 and End 1 or Intermediate2 and End2. It never attempts to verify Root1 or Root2. I know this because inside of my custom certificate verification function I again use mbedtls_x509_crt_info to display the certificate. The overall result is good but I need to be able to verify the full certificate chain

To further verify that Root1 and Root2 are never used, I repeated my set up from above with Root1 and Root2 removed from the certificate buffer (i.e. only Intermediate1 and Intermediate2 are added to the certificate chain). When I execute a TLS handshake I get the same result as before: the handshake is successful whether I use End1 or End2

My question is what do I need to do to make mbedTLS verify the full certificate chain (root, intermediate, and end) instead of just the intermediate and end certificates?

Any suggestions/information/help would be greatly appreciated

Thanks in advance