[openssl-users] Certificate Verify and non-root Trust Anchors

Viktor Dukhovni openssl-users at dukhovni.org
Mon Dec 11 23:18:14 UTC 2017

> On Dec 11, 2017, at 6:03 PM, Dr. Pala <madwolf at openca.org> wrote:
> thanks :D I just tried to set it and I get a different error now : 22 (certificate chain too long)... I suspect it is a side effect of using the  X509_V_FLAG_PARTIAL_CHAIN flag... ? (no chain restrictions are set in the certificates themselves...), but I have not dug into the vfy code yet...

Perhaps you ended up creating a parameter structure with a
depth limit that's too small.  Just configuring partial
chains will never yield a chain that is longer than it
otherwise would be.  In fact you generally get shorter
chains.  So, no this is not a result of using the
new flag, but may be a result of how you're going about
setting the flag.

> ... any suggestion on how to fix this ? Do you think it is actually a bug ? ... or am I missing some other configs / setting I should have done for the verify param ?

You should obtain a reference to the existing parameters
from the context, and modify these to add the new flag.


More information about the openssl-users mailing list