I understand that the trusted store must include Intermediate CA 1 or remove Intermediate CA 2 and just have the Root CA in it. I was trying things out to understand how client authentication works.
Regards,
Sudarshan
On Tue, Aug 22, 2017 at 10:37 AM, Sudarshan Raghavan <sudarshan.t.raghavan@xxxxxxxxx> wrote:
This is the CA - Leaf hierarchy I am testing withRoot CA > Intermediate CA 1 > Intermediate CA 2 > LeafTrusted certificates configured: Root CA and Intermediate CA 2Client authenticates itself with this chain: Leaf > Intermediate CA 2 > Intermediate CA 1I am using openssl 1.1.0f. This client authentication attempt is flagged as failed by OpenSSL. When I enable the X509_V_FLAG_PARTIAL_CHAIN flag, it passes. I was trying to understand why the partial chain flag is needed when the verification chain from Leaf to Root CA can be constructed using both the chain sent by the client and the certificates configured in trusted store. I looked at the code in build_chain function inside crypto/x509/x509_vfy.c. This is what I understand. If the issuer of Leaf certificate (Intermediate CA 2) is found in trusted store, the code will no longer look in the untrusted chain sent by the client. The code expects the chain to Root CA can be constructed from the trusted store itself. Given Intermediate CA 1 is not in the trusted store, it fails to construct the verification chain to Root CA and flags a failure. Did I understand this right? I assume in this scenario, enabling the partial chain flag is the way to go.Regards,Sudarshan
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
