Stricter pathlen checks in OpenSSL 1.1.1 compared to 1.0.2?

Viktor Dukhovni openssl-users at
Thu Sep 15 18:30:02 UTC 2022

On Thu, Sep 15, 2022 at 05:34:07PM +0000, Andrew Lynch via openssl-users wrote:

> Why is OpenSSL 1.0.2 verifying successfully?  Does it not check the
> path length constraint or is it actually picking the depth 2 chain
> instead of the depth 3?

There are two important differences between 1.0.2 and 1.1.1:

    - In 1.1.1 the trust store is always checked before any
      untrusted certificates provided by the peer.  In 1.0.2
      one would have to explicitly set the "trusted first"
      flag in the store context to get the same behaviour.

      This can result in different chains being built from
      the same data.

    - In 1.1.1 the same checks are applied to both certificates from the
      peer and the trust store.  In 1.0.2, IIRC some checks may have
      been (incorrectly I believe) applied only to certificates from the
      peer.  I don't recall whether this could affect how path length
      limits are enforced, or whether 1.0.2 got updated at some point to
      treat both sources equivalently.

Finally, an RFC5280 trust anchor is a public key.  Any associated
self-signed CA certificate is still CA certificate.  Implementations can
honour any path length constraint stored in such a certificate.


More information about the openssl-users mailing list