reg: question about SSL server cert verification

Jakob Bohm jb-openssl at
Sun Jun 20 02:08:19 UTC 2021

On 2021-06-18 17:07, Viktor Dukhovni wrote:

> On Fri, Jun 18, 2021 at 03:09:47PM +0200, Jakob Bohm via openssl-users wrote:
>> Now the client simply works backwards through that list, checking if
>> each certificate signed the next one or claims to be signed by a
>> certificate in /etc/certs.  This lookup is done based on the complete
>> distinguished name, not just the CN part of it.  At every step, the
>> certificate may be referenced by a "key identifier" instead of the
>> distinguished name, and some clients will compare that instead of the
>> distinguished name.
> All extant (non-EOL) OpenSSL releases prioritise the local trust-store
> over the remotely provided CA certificate list when building the
> certificate chain.  The remote chain is used only when no match is found
> in the trust store.  As as a matching issuer is found in the trust store
> all further lookups are from the trust store only.
> If the local trust store contains only "root CAs", and the remote peer
> provides the rest of the chain, with no overlap in the subject
> distinguished names, the behaviour is not observably different from
> Jakob's description.
> Differences are observed once the local trust store contains some
> intermediate certificates or the remote chain provides a cross cert for
> which the local store instead contains a corresponding (same subject
> name and keyid) self-signed root, or the cross cert is in the local
> store, but the remote peer sends a root.  In all such cases chain
> construction uses the certs from the trust store.  This tends to produce
> less surprising (and ideally better, or at least what you implicitly
> asked for) results.
Interesting, earlier today, I observed the confusing effect of
"openssl verify" treating -trusted_first as always on while keeping
document wording suggesting it is an actual option, not historical
remnants of yet another feature removed by the new OpenSSL

Jakob Bohm, CIO, partner, WiseMo A/S.
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10 
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded


Jakob Bohm, CIO, Partner, WiseMo A/S.
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list