[openssl-users] Client authentication certificate verification

Sudarshan Raghavan sudarshan.t.raghavan at gmail.com
Tue Aug 22 17:38:57 UTC 2017

I understand that the trusted store must include Intermediate CA 1 or
remove Intermediate CA 2 and just have the Root CA in it. I was trying
things out to understand how client authentication works.


On Tue, Aug 22, 2017 at 10:37 AM, Sudarshan Raghavan <
sudarshan.t.raghavan at gmail.com> wrote:

> This is the CA - Leaf hierarchy I am testing with
> Root CA > Intermediate CA 1 > Intermediate CA 2 > Leaf
> Trusted certificates configured: Root CA and Intermediate CA 2
> Client authenticates itself with this chain: Leaf > Intermediate CA 2 >
> Intermediate CA 1
> I am using openssl 1.1.0f. This client authentication attempt is flagged
> as failed by OpenSSL. When I enable the X509_V_FLAG_PARTIAL_CHAIN flag, it
> passes. I was trying to understand why the partial chain flag is needed
> when the verification chain from Leaf to Root CA can be constructed using
> both the chain sent by the client and the certificates configured in
> trusted store. I looked at the code in build_chain function inside
> crypto/x509/x509_vfy.c. This is what I understand. If the issuer of Leaf
> certificate (Intermediate CA 2) is found in trusted store, the code will no
> longer look in the untrusted chain sent by the client. The code expects the
> chain to Root CA can be constructed from the trusted store itself. Given
> Intermediate CA 1 is not in the trusted store, it fails to construct the
> verification chain to Root CA and flags a failure. Did I understand this
> right? I assume in this scenario, enabling the partial chain flag is the
> way to go.
> Regards,
> Sudarshan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170822/fb14048a/attachment.html>

More information about the openssl-users mailing list