On Thu, Sep 15, 2022 at 05:34:07PM +0000, Andrew Lynch via openssl-users wrote:
> Why is OpenSSL 1.0.2 verifying successfully? Does it not check the
> path length constraint or is it actually picking the depth 2 chain
> instead of the depth 3?
There are two important differences between 1.0.2 and 1.1.1:
- In 1.1.1 the trust store is always checked before any
untrusted certificates provided by the peer. In 1.0.2
one would have to explicitly set the "trusted first"
flag in the store context to get the same behaviour.
This can result in different chains being built from
the same data.
- In 1.1.1 the same checks are applied to both certificates from the
peer and the trust store. In 1.0.2, IIRC some checks may have
been (incorrectly I believe) applied only to certificates from the
peer. I don't recall whether this could affect how path length
limits are enforced, or whether 1.0.2 got updated at some point to
treat both sources equivalently.
Finally, an RFC5280 trust anchor is a public key. Any associated
self-signed CA certificate is still CA certificate. Implementations can
honour any path length constraint stored in such a certificate.
--
VIktor.
