[openssl-users] Client authentication certificate verification

Sudarshan Raghavan sudarshan.t.raghavan at gmail.com
Tue Aug 22 17:37:29 UTC 2017

This is the CA - Leaf hierarchy I am testing with

Root CA > Intermediate CA 1 > Intermediate CA 2 > Leaf

Trusted certificates configured: Root CA and Intermediate CA 2

Client authenticates itself with this chain: Leaf > Intermediate CA 2 >
Intermediate CA 1

I am using openssl 1.1.0f. This client authentication attempt is flagged as
failed by OpenSSL. When I enable the X509_V_FLAG_PARTIAL_CHAIN flag, it
passes. I was trying to understand why the partial chain flag is needed
when the verification chain from Leaf to Root CA can be constructed using
both the chain sent by the client and the certificates configured in
trusted store. I looked at the code in build_chain function inside
crypto/x509/x509_vfy.c. This is what I understand. If the issuer of Leaf
certificate (Intermediate CA 2) is found in trusted store, the code will no
longer look in the untrusted chain sent by the client. The code expects the
chain to Root CA can be constructed from the trusted store itself. Given
Intermediate CA 1 is not in the trusted store, it fails to construct the
verification chain to Root CA and flags a failure. Did I understand this
right? I assume in this scenario, enabling the partial chain flag is the
way to go.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170822/71ddeeac/attachment.html>

More information about the openssl-users mailing list