0

Brief description of the problem.

When using the libwebsockets library, when multiple CA root certificates are passed using client_ssl_ca_mem, the order of the CA root certificates affects the certificate verification process and may result in certificate validation failure.

Code

    struct lws_context_creation_info info;
    info.client_ssl_ca_mem     = m_credentials.server_certificate_ca.c_str();
    info.client_ssl_ca_mem_len = static_cast<unsigned int>(m_credentials.server_certificate_ca.size());

Problem analysis

Through logging and analysis, I have obtained the following data:

1.This is the PEM format certificate issued by the server.
-----BEGIN CERTIFICATE-----MIIBxTCCAWugAwIBAgIBBTAKBggqhkjOPQQDAjBIMRUwEwYDVQQDDAxSb290IENBIEVEU0ExDDAKBgNVBAoMA09DQTELMAkGA1UEBhMCTkwxFDASBgoJkiaJk/IsZAEZFgRPQ1RUMB4XDTIwMDIxMjE4MTAyOFoXDTQ4MTAwMjE4MTAyOFowTzEWMBQGA1UEAwwNMTkyLjE2OC4xMC4xMDEMMAoGA1UECgwDT0NBMQswCQYDVQQGEwJOTDEaMBgGCgmSJomT8ixkARkWCk9DVFQgRUNEU0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQPK+gU59XLmjCdNHMvNlJAAJ5cHpQs3ZpRxI3h62JjYu+f6sQwZyPpd20lBkHVDbqQKYtXwLRuTONEkhd5qlBVoz8wPTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUbKQHUk0DDfGrluzg5YbxKAwnopMwCgYIKoZIzj0EAwIDSAAwRQIhAJk26856LaJP2hR05vywOFIZP/9zwniwjATAQQBs9eIJAiA/eYWVnPUvdubvcYjUqZM+qItPSRFfcOZQjHV5xCLLeg==-----END CERTIFICATE-----

2.I have 2 CA certificates stored locally.

2.1 This is the first CA certificate, referred to as CA1 (this is the root CA certificate that matches the issued certificate).

 -----BEGIN CERTIFICATE-----MIIBwzCCAWmgAwIBAgIBBDAKBggqhkjOPQQDAjBIMRUwEwYDVQQDDAxSb290IENBIEVEU0ExDDAKBgNVBAoMA09DQTELMAkGA1UEBhMCTkwxFDASBgoJkiaJk/IsZAEZFgRPQ1RUMCAXDTIwMDIxMjE4MTAyOFoYDzIwNjAwMjAyMTgxMDI4WjBIMRUwEwYDVQQDDAxSb290IENBIEVEU0ExDDAKBgNVBAoMA09DQTELMAkGA1UEBhMCTkwxFDASBgoJkiaJk/IsZAEZFgRPQ1RUMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE29HrM7bR+VZ+jY9Z7IgLKJw7/A3OQWGY5B05wEO2V1V3Z3VrZINHADdOz7BNc/5ZyCTBW/OgFDvXym1/gV/NY6NCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFC6gycssqInCC/9PJY9F43M7B224MAoGCCqGSM49BAMCA0gAMEUCIAK3aLaF12sAkvQCluO835VbXGDuWZQWYBgZOtkiHb1NAiEAvmmT8us14HWNiLgObzzsqf7crpqXctWBDkvN2e5WeBU=-----END CERTIFICATE-----

2.2 This is the second CA certificate, referred to as CA2.

-----BEGIN CERTIFICATE-----MIIDTTCCAjWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBHMRQwEgYDVQQDDAtSb290IENBIFJTQTEMMAoGA1UECgwDT0NBMQswCQYDVQQGEwJOTDEUMBIGCgmSJomT8ixkARkWBE9DVFQwIBcNMjAwMjEyMTgxMDI3WhgPMjA2MDAyMDIxODEwMjdaMEcxFDASBgNVBAMMC1Jvb3QgQ0EgUlNBMQwwCgYDVQQKDANPQ0ExCzAJBgNVBAYTAk5MMRQwEgYKCZImiZPyLGQBGRYET0NUVDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ0gKwiY8Yj5T+SwZCQB3evp2y65BoVdBlnL91FzpuZ1LP9i0C4dQVcjN59Wd3lDskb9njjm41ds57zAUEesMwomFy+DfXd2zDSoBpmFCJuoW3bD+8xN1ISfrEI0vQPTMRtyfaue1CYo55+4Fkv0zLEbjSOx3Sl+9ciwQ4i/x6hDjclu5JXx9Bom/oR2+xlHZEfpGogyDvQB3al+GsOCOk9Y7kA8EaVDPLeeI+CJdOS4syoZdyEiA6cO+kAH0tE+Rl5Pqf3wabuO1ebTLenswa7xLrUGQ9rURmXTJQ2+23c3YsXOGgMZ5M7H2R2isOt2S62t28aVs62+PwQrqh/X4vkCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNSqKyVEMyNJoqivS0wO565HVoOiMA0GCSqGSIb3DQEBCwUAA4IBAQAtxUSnf+pb+dgLPAtLgoMLsc+CgvoeEpHF1aLWNgccVSC2L0frxtpERl3xjxE9ttc+3mE6KA2UQFhf4Md4vCPf60GZw44rFl1Rj9PwrLA9c2AtLjcDkthhmZylgEjorzyox3wVW5pbOWRP38lDz9gpqJCzTYmmm+9skNS09/gqM5lYhAqBjKjLiyKylwKWdw9EOkUxnSlg4aicn83+1cdD0iNM+z6lIP5cxvQu2/f68KJ9JkTofQzdyPH4l/JvuSwmXnfWR3O8JTJjAq8Z5XoqduJXhEB73Xvamdah1PB0BJHAh45odouHCmtG6TqRUgoFVNZDLdNurVXXzn5cnL+t-----END CERTIFICATE-----

3.If I pass the above two CA certificates through client_ssl_ca_mem:

3.1 By concatenating "CA1CA2", the verification can be successful.

-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIBBDAKBggqhkjOPQQDAjBIMRUwEwYDVQQDDAxSb290IENB\nIEVEU0ExDDAKBgNVBAoMA09DQTELMAkGA1UEBhMCTkwxFDASBgoJkiaJk/IsZAEZ\nFgRPQ1RUMCAXDTIwMDIxMjE4MTAyOFoYDzIwNjAwMjAyMTgxMDI4WjBIMRUwEwYD\nVQQDDAxSb290IENBIEVEU0ExDDAKBgNVBAoMA09DQTELMAkGA1UEBhMCTkwxFDAS\nBgoJkiaJk/IsZAEZFgRPQ1RUMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE29Hr\nM7bR+VZ+jY9Z7IgLKJw7/A3OQWGY5B05wEO2V1V3Z3VrZINHADdOz7BNc/5ZyCTB\nW/OgFDvXym1/gV/NY6NCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\nAQYwHQYDVR0OBBYEFC6gycssqInCC/9PJY9F43M7B224MAoGCCqGSM49BAMCA0gA\nMEUCIAK3aLaF12sAkvQCluO835VbXGDuWZQWYBgZOtkiHb1NAiEAvmmT8us14HWN\niLgObzzsqf7crpqXctWBDkvN2e5WeBU=\n-----END CERTIFICATE-----\n\n-----BEGIN CERTIFICATE-----\nMIIDTTCCAjWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBHMRQwEgYDVQQDDAtSb290\nIENBIFJTQTEMMAoGA1UECgwDT0NBMQswCQYDVQQGEwJOTDEUMBIGCgmSJomT8ixk\nARkWBE9DVFQwIBcNMjAwMjEyMTgxMDI3WhgPMjA2MDAyMDIxODEwMjdaMEcxFDAS\nBgNVBAMMC1Jvb3QgQ0EgUlNBMQwwCgYDVQQKDANPQ0ExCzAJBgNVBAYTAk5MMRQw\nEgYKCZImiZPyLGQBGRYET0NUVDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\nggEBAJ0gKwiY8Yj5T+SwZCQB3evp2y65BoVdBlnL91FzpuZ1LP9i0C4dQVcjN59W\nd3lDskb9njjm41ds57zAUEesMwomFy+DfXd2zDSoBpmFCJuoW3bD+8xN1ISfrEI0\nvQPTMRtyfaue1CYo55+4Fkv0zLEbjSOx3Sl+9ciwQ4i/x6hDjclu5JXx9Bom/oR2\n+xlHZEfpGogyDvQB3al+GsOCOk9Y7kA8EaVDPLeeI+CJdOS4syoZdyEiA6cO+kAH\n0tE+Rl5Pqf3wabuO1ebTLenswa7xLrUGQ9rURmXTJQ2+23c3YsXOGgMZ5M7H2R2i\nsOt2S62t28aVs62+PwQrqh/X4vkCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO\nBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNSqKyVEMyNJoqivS0wO565HVoOiMA0G\nCSqGSIb3DQEBCwUAA4IBAQAtxUSnf+pb+dgLPAtLgoMLsc+CgvoeEpHF1aLWNgcc\nVSC2L0frxtpERl3xjxE9ttc+3mE6KA2UQFhf4Md4vCPf60GZw44rFl1Rj9PwrLA9\nc2AtLjcDkthhmZylgEjorzyox3wVW5pbOWRP38lDz9gpqJCzTYmmm+9skNS09/gq\nM5lYhAqBjKjLiyKylwKWdw9EOkUxnSlg4aicn83+1cdD0iNM+z6lIP5cxvQu2/f6\n8KJ9JkTofQzdyPH4l/JvuSwmXnfWR3O8JTJjAq8Z5XoqduJXhEB73Xvamdah1PB0\nBJHAh45odouHCmtG6TqRUgoFVNZDLdNurVXXzn5cnL+t\n-----END CERTIFICATE-----\n\n

3.2 By concatenating "CA2CA1", the verification will fail.

-----BEGIN CERTIFICATE-----\nMIIDTTCCAjWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBHMRQwEgYDVQQDDAtSb290\nIENBIFJTQTEMMAoGA1UECgwDT0NBMQswCQYDVQQGEwJOTDEUMBIGCgmSJomT8ixk\nARkWBE9DVFQwIBcNMjAwMjEyMTgxMDI3WhgPMjA2MDAyMDIxODEwMjdaMEcxFDAS\nBgNVBAMMC1Jvb3QgQ0EgUlNBMQwwCgYDVQQKDANPQ0ExCzAJBgNVBAYTAk5MMRQw\nEgYKCZImiZPyLGQBGRYET0NUVDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\nggEBAJ0gKwiY8Yj5T+SwZCQB3evp2y65BoVdBlnL91FzpuZ1LP9i0C4dQVcjN59W\nd3lDskb9njjm41ds57zAUEesMwomFy+DfXd2zDSoBpmFCJuoW3bD+8xN1ISfrEI0\nvQPTMRtyfaue1CYo55+4Fkv0zLEbjSOx3Sl+9ciwQ4i/x6hDjclu5JXx9Bom/oR2\n+xlHZEfpGogyDvQB3al+GsOCOk9Y7kA8EaVDPLeeI+CJdOS4syoZdyEiA6cO+kAH\n0tE+Rl5Pqf3wabuO1ebTLenswa7xLrUGQ9rURmXTJQ2+23c3YsXOGgMZ5M7H2R2i\nsOt2S62t28aVs62+PwQrqh/X4vkCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO\nBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNSqKyVEMyNJoqivS0wO565HVoOiMA0G\nCSqGSIb3DQEBCwUAA4IBAQAtxUSnf+pb+dgLPAtLgoMLsc+CgvoeEpHF1aLWNgcc\nVSC2L0frxtpERl3xjxE9ttc+3mE6KA2UQFhf4Md4vCPf60GZw44rFl1Rj9PwrLA9\nc2AtLjcDkthhmZylgEjorzyox3wVW5pbOWRP38lDz9gpqJCzTYmmm+9skNS09/gq\nM5lYhAqBjKjLiyKylwKWdw9EOkUxnSlg4aicn83+1cdD0iNM+z6lIP5cxvQu2/f6\n8KJ9JkTofQzdyPH4l/JvuSwmXnfWR3O8JTJjAq8Z5XoqduJXhEB73Xvamdah1PB0\nBJHAh45odouHCmtG6TqRUgoFVNZDLdNurVXXzn5cnL+t\n-----END CERTIFICATE-----\n\n-----BEGIN CERTIFICATE-----\nMIIBwzCCAWmgAwIBAgIBBDAKBggqhkjOPQQDAjBIMRUwEwYDVQQDDAxSb290IENB\nIEVEU0ExDDAKBgNVBAoMA09DQTELMAkGA1UEBhMCTkwxFDASBgoJkiaJk/IsZAEZ\nFgRPQ1RUMCAXDTIwMDIxMjE4MTAyOFoYDzIwNjAwMjAyMTgxMDI4WjBIMRUwEwYD\nVQQDDAxSb290IENBIEVEU0ExDDAKBgNVBAoMA09DQTELMAkGA1UEBhMCTkwxFDAS\nBgoJkiaJk/IsZAEZFgRPQ1RUMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE29Hr\nM7bR+VZ+jY9Z7IgLKJw7/A3OQWGY5B05wEO2V1V3Z3VrZINHADdOz7BNc/5ZyCTB\nW/OgFDvXym1/gV/NY6NCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\nAQYwHQYDVR0OBBYEFC6gycssqInCC/9PJY9F43M7B224MAoGCCqGSM49BAMCA0gA\nMEUCIAK3aLaF12sAkvQCluO835VbXGDuWZQWYBgZOtkiHb1NAiEAvmmT8us14HWN\niLgObzzsqf7crpqXctWBDkvN2e5WeBU=\n-----END CERTIFICATE-----\n\n

4.The corresponding log output from the LBS is as follows:

[2023/08/30 10:54:21:5341] I: lws_create_context: Event loop: poll
[2023/08/30 10:54:21:5341] I: lws_smd_register: peer 0xaaaade9a98e0 (count 1) registered
[2023/08/30 10:54:21:5359] I: lws_create_context: ctx:  6032B (1936 ctx + pt(1 thr x 4096)), pt-fds: 1048576, fdmap: 8388608
[2023/08/30 10:54:21:5359] I: lws_create_context:  http: ah_data: 4096, ah: 984, max count 1048576
[2023/08/30 10:54:21:5376] I: lws_plat_init:  mem: platform fd map: 8388608 B
[2023/08/30 10:54:21:5377] N: __lws_lc_tag:  ++ [wsi|0|pipe] (1)
[2023/08/30 10:54:21:5377] I: lws_context_init_ssl_library:  Compiled with OpenSSL support
[2023/08/30 10:54:21:5377] I: lws_context_init_ssl_library: Doing SSL library init
[2023/08/30 10:54:21:5388] I: lws_server_get_canonical_hostname:  canonical_hostname = ubuntu-linux-22-04-desktop
[2023/08/30 10:54:21:5388] N: __lws_lc_tag:  ++ [vh|0|default|enp0s5|enp0s5|-1] (1)
[2023/08/30 10:54:21:5388] I: [vh|0|default|enp0s5|enp0s5|-1]: lws_create_vhost: Creating Vhost 'default' (serving disabled), 1 protocols, IPv6 off
[2023/08/30 10:54:21:5401] I: lws_tls_client_create_vhost_context: vh default: created new client ctx 0
[2023/08/30 10:54:21:5407] I: loaded ssl_ca_mem
[2023/08/30 10:54:21:5407] I: created client ssl context for default
[2023/08/30 10:54:21:5407] I: lws_create_context:  mem: per-conn:         1192 bytes + protocol rx buf
[2023/08/30 10:54:21:5407] I: lws_plat_drop_app_privileges: not changing group
[2023/08/30 10:54:21:5407] I: lws_plat_drop_app_privileges: not changing user
[2023/08/30 10:54:21:5408] I: lws_state_notify_protocol_init: doing protocol init on POLICY_VALID
[2023/08/30 10:54:21:5408] I: lws_protocol_init: 
[2023/08/30 10:54:21:5408] I: [vh|0|default|enp0s5|enp0s5|-1]: lws_protocol_init_vhost: init default.LibWebsocketClient
[2023/08/30 10:54:21:5408] I: lws_state_transition_steps: CONTEXT_CREATED -> OPERATIONAL
[2023/08/30 10:54:21:5408] I: : lws_client_connect_via_info: role binding to h1
[2023/08/30 10:54:21:5408] I: : lws_client_connect_via_info: vh default protocol binding to LibWebsocketClient
[2023/08/30 10:54:21:5408] I: : lws_client_connect_via_info: : h1 LibWebsocketClient entry
[2023/08/30 10:54:21:5408] N: __lws_lc_tag:  ++ [wsicli|0|WS/h1/default/192.168.10.10] (1)
[2023/08/30 10:54:21:5409] I: lws_header_table_attach: [wsicli|0|WS/h1/default/192.168.10.10]: ah (nil) (tsi 0, count = 0) in
[2023/08/30 10:54:21:5409] I: _lws_create_ah: created ah 0xffff9c001210 (size 4096): pool length 1
[2023/08/30 10:54:21:5409] I: lws_header_table_attach: did attach wsi [wsicli|0|WS/h1/default/192.168.10.10]: ah 0xffff9c001210: count 1 (on exit)
[2023/08/30 10:54:21:5409] I: [wsicli|0|WS/h1/default/192.168.10.10]: lws_client_connect_2_dnsreq: lookup 192.168.10.10:8080
[2023/08/30 10:54:21:5409] I: [wsicli|0|WS/h1/default/192.168.10.10]: lws_getaddrinfo46: getaddrinfo '192.168.10.10' says 0
[2023/08/30 10:54:21:5409] I: [wsicli|0|WS/h1/default/192.168.10.10]: lws_sort_dns: sort_dns: 0xffff9c002620
[2023/08/30 10:54:21:5409] I: [wsicli|0|WS/h1/default/192.168.10.10]: lws_sort_dns: unsorted entry (af 2) 192.168.10.10
[2023/08/30 10:54:21:5409] I: [wsicli|0|WS/h1/default/192.168.10.10]: lws_sort_dns_dump: 1: (2)192.168.10.10, gw (0)(unset), idi: 0, lbl: 0, prec: 0
[2023/08/30 10:54:21:5410] I: binding listen skt to enp0s5 using SO_BINDTODEVICE
[2023/08/30 10:54:21:5444] I: [wsicli|0|WS/h1/default/192.168.10.10]: lws_client_connect_3_connect: source ads 192.168.10.242
[2023/08/30 10:54:21:5444] I: [wsicli|0|WS/h1/default/192.168.10.10]: lws_client_connect_4_established: h1 LibWebsocketClient client created own conn (raw 0) vh default st 0x202
[2023/08/30 10:54:21:5444] I: lws_tls_restrict_borrow: 0 -> 1
[2023/08/30 10:54:21:5444] N: lws_gate_accepts: on = 0
[2023/08/30 10:54:21:5445] I: lws_tls_reuse_session: no existing session for default_192.168.10.10_8080
[2023/08/30 10:54:21:5445] I: h1 client conn using alpn list 'http/1.1'
[2023/08/30 10:54:21:5967] E: SSL error: unable to get local issuer certificate (preverify_ok=0;err=20;depth=0)
[2023/08/30 10:54:21:5968] I:    openssl error: error:0A000086:SSL routines::certificate verify failed
[2023/08/30 10:54:21:5968] I: 
[2023/08/30 10:54:21:5968] I: lws_tls_restrict_return_handshake:  1 -> 0
[2023/08/30 10:54:21:5968] N: lws_gate_accepts: on = 0
[2023/08/30 10:54:21:5968] I: lws_tls_client_confirm_peer_cert: cert problem: 
[2023/08/30 10:54:21:5968] I: server's cert didn't look good,  X509_V_ERR = 20: error:00000014:lib(0)::reason(20)
[2023/08/30 10:54:21:5968] I: 
[2023/08/30 10:54:21:5968] I: lws_http_client_socket_service: closing conn at LWS_CONNMODE...SERVER_REPLY, [wsicli|0|WS/h1/default/192.168.10.10], state 0x204
[2023/08/30 10:54:21:5969] I: reason: server's cert didn't look good,  X509_V_ERR = 20: error:00000014:lib(0)::reason(20)
[2023/08/30 10:54:21:6122] I: [wsicli|0|WS/h1/default/192.168.10.10]: __lws_close_free_wsi: caller: cbail3
[2023/08/30 10:54:21:6122] I: [wsicli|0|WS/h1/default/192.168.10.10]: __lws_close_free_wsi: real just_kill_connection: sockfd 8
[2023/08/30 10:54:21:6122] I: [wsicli|0|WS/h1/default/192.168.10.10]: __lws_close_free_wsi: cce=0
[2023/08/30 10:54:21:6123] I: lws_tls_restrict_return: 1 -> 0
[2023/08/30 10:54:21:6123] N: lws_gate_accepts: on = 0
[2023/08/30 10:54:21:6123] I: rops_destroy_role_h1: ah det due to close
[2023/08/30 10:54:21:6123] I: __lws_header_table_detach: [wsicli|0|WS/h1/default/192.168.10.10]: ah 0xffff9c001210 (tsi=0, count = 1)
[2023/08/30 10:54:21:6123] I: __lws_header_table_detach: nobody usable waiting
[2023/08/30 10:54:21:6123] I: _lws_destroy_ah: freed ah 0xffff9c001210 : pool length 0
[2023/08/30 10:54:21:6123] I: __lws_header_table_detach: [wsicli|0|WS/h1/default/192.168.10.10]: ah 0xffff9c001210 (tsi=0, count = 0)
[2023/08/30 10:54:21:6123] N: __lws_lc_untag:  -- [wsicli|0|WS/h1/default/192.168.10.10] (0) 71.468ms
[2023/08/30 10:54:22:8073] I: : lws_client_connect_via_info: role binding to h1
[2023/08/30 10:54:22:8074] I: : lws_client_connect_via_info: vh default protocol binding to LibWebsocketClient
[2023/08/30 10:54:22:8075] I: : lws_client_connect_via_info: : h1 LibWebsocketClient entry
[2023/08/30 10:54:22:8075] N: __lws_lc_tag:  ++ [wsicli|1|WS/h1/default/192.168.10.10] (1)
[2023/08/30 10:54:22:8075] I: lws_header_table_attach: [wsicli|1|WS/h1/default/192.168.10.10]: ah (nil) (tsi 0, count = 0) in
[2023/08/30 10:54:22:8075] I: _lws_create_ah: created ah 0xffff9c001210 (size 4096): pool length 1
[2023/08/30 10:54:22:8075] I: lws_header_table_attach: did attach wsi [wsicli|1|WS/h1/default/192.168.10.10]: ah 0xffff9c001210: count 1 (on exit)
[2023/08/30 10:54:22:8075] I: [wsicli|1|WS/h1/default/192.168.10.10]: lws_client_connect_2_dnsreq: lookup 192.168.10.10:8080
[2023/08/30 10:54:22:8076] I: [wsicli|1|WS/h1/default/192.168.10.10]: lws_getaddrinfo46: getaddrinfo '192.168.10.10' says 0
[2023/08/30 10:54:22:8076] I: [wsicli|1|WS/h1/default/192.168.10.10]: lws_sort_dns: sort_dns: 0xffff9c015750
[2023/08/30 10:54:22:8076] I: [wsicli|1|WS/h1/default/192.168.10.10]: lws_sort_dns: unsorted entry (af 2) 192.168.10.10
[2023/08/30 10:54:22:8076] I: [wsicli|1|WS/h1/default/192.168.10.10]: lws_sort_dns_dump: 1: (2)192.168.10.10, gw (0)(unset), idi: 0, lbl: 0, prec: 0
[2023/08/30 10:54:22:8079] I: binding listen skt to enp0s5 using SO_BINDTODEVICE
[2023/08/30 10:54:22:8313] I: [wsicli|1|WS/h1/default/192.168.10.10]: lws_client_connect_3_connect: source ads 192.168.10.242
[2023/08/30 10:54:22:8314] I: [wsicli|1|WS/h1/default/192.168.10.10]: lws_client_connect_4_established: h1 LibWebsocketClient client created own conn (raw 0) vh default st 0x202
[2023/08/30 10:54:22:8314] I: lws_tls_restrict_borrow: 0 -> 1
[2023/08/30 10:54:22:8314] N: lws_gate_accepts: on = 0
[2023/08/30 10:54:22:8315] I: lws_tls_reuse_session: no existing session for default_192.168.10.10_8080
[2023/08/30 10:54:22:8315] I: h1 client conn using alpn list 'http/1.1'

  1. I attempted to merge CA1 and CA2 into a single PEM file.

  2. Then, I used the command "openssl verify -CAfile <CAfile> <certificate>" to verify the certificate issued by the server.

  3. Regardless of whether CA1 is placed first or CA2 is placed first, the verification is successful.

james_lebron_23
  • 1

0 Answers0