[openssl-users] Certificate Verify and non-root Trust Anchors

Dr. Pala madwolf at openca.org
Tue Dec 12 00:41:35 UTC 2017

Hi Victor,

does it matter that we are not in the TLS case (maybe the code is 
different in the SSL_CTX ) ? I am just trying to validate the chain with 
the TA set to the SubCA... :D

IMHO, the correct (or, better, the expected) behavior (from a 
developer's standpoint) would be to trust keys in the trusted 
certificates list, no matter if they are in the form of a Self-Signed or 
non-Self-Signed certificate - after all, it is a Trust Anchor --> just a 
Public Key :D

Just my 2 cents...


On 12/11/17 4:54 PM, Viktor Dukhovni wrote:
>> On Dec 11, 2017, at 6:27 PM, Michael Richardson <mcr at sandelman.ca> wrote:
>> I believe that I ran into a similar problem where by I could not pin
>> ('trust') an intermediate certificate (which was not self-signed) for the
>> purposes of verifying a CMS/PKCS7 object.
>> I don't have a solution, and I believe that work is required.
> As I already mentioned a few times, the new X509_V_FLAG_PARTIAL_CHAIN
> flag added in 1.0.2 addresses this issue.
> To get pinning provide a trust store with just the pinned issuer CA,
> and X509_V_FLAG_PARTIAL_CHAIN set.
> With OpenSSL 1.1.0 one can also implement pinning by computing a TLSA
> record for the pinned CA, and using OpenSSL's DANE support.  OpenSSL
> does not do the DNS lookups to find TLSA records, that's up to the
> application, so the TLSA records can be entirely synthetic (e.g.
> derived from suitable hashes of a pinned CA cert or its public key).

More information about the openssl-users mailing list