Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?

Andrew Lynch andrew.lynch at
Thu Sep 15 17:34:07 UTC 2022


I would like to have my understanding of the following issue confirmed:

Given a two-level CA where the different generations of Root cross-sign each other, the verification of an end-entity certificate fails with OpenSSL 1.1.1 - "path length constraint exceeded".  With OpenSSL 1.0.2 the same verify succeeds.

All Root CA certificates have Basic Constraints CA:TRUE, pathlen:1.  The Sub CA certificate has pathlen:0.

A) Issuer: CN=Root CA, serialNumber=1
   Subject: CN=Root CA, serialNumber=1

B) Issuer: CN=Root CA, serialNumber=2
   Subject: CN=Root CA, serialNumber=2

C) Issuer: CN=Root CA, serialNumber=1
   Subject: CN=Root CA, serialNumber=2

D) Issuer: CN=Root CA, serialNumber=2
   Subject: CN=Sub CA, serialNumber=2

E) Issuer: CN=Sub CA, serialNumber=2
   Subject: Some end entity

With a CAfile containing D, C, B, A in that order the verify of E fails.  If I remove the cross certificate C then the verify succeeds.

I believe OpenSSL 1.1.1 is building a chain of depth 3 (D - C - A) and so pathlen:1 of A is violated.  Without the cross certificate the chain is only depth 2 (D - B).

Is my understanding of the reason for this failure correct?
Why is OpenSSL 1.0.2 verifying successfully?  Does it not check the path length constraint or is it actually picking the depth 2 chain instead of the depth 3?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list