I understand that the trusted store must include Intermediate CA 1 or remove Intermediate CA 2 and just have the Root CA in it. I was trying things out to understand how client authentication works.
Regards, Sudarshan On Tue, Aug 22, 2017 at 10:37 AM, Sudarshan Raghavan < sudarshan.t.ragha...@gmail.com> wrote: > This is the CA - Leaf hierarchy I am testing with > > Root CA > Intermediate CA 1 > Intermediate CA 2 > Leaf > > Trusted certificates configured: Root CA and Intermediate CA 2 > > Client authenticates itself with this chain: Leaf > Intermediate CA 2 > > Intermediate CA 1 > > I am using openssl 1.1.0f. This client authentication attempt is flagged > as failed by OpenSSL. When I enable the X509_V_FLAG_PARTIAL_CHAIN flag, it > passes. I was trying to understand why the partial chain flag is needed > when the verification chain from Leaf to Root CA can be constructed using > both the chain sent by the client and the certificates configured in > trusted store. I looked at the code in build_chain function inside > crypto/x509/x509_vfy.c. This is what I understand. If the issuer of Leaf > certificate (Intermediate CA 2) is found in trusted store, the code will no > longer look in the untrusted chain sent by the client. The code expects the > chain to Root CA can be constructed from the trusted store itself. Given > Intermediate CA 1 is not in the trusted store, it fails to construct the > verification chain to Root CA and flags a failure. Did I understand this > right? I assume in this scenario, enabling the partial chain flag is the > way to go. > > Regards, > Sudarshan >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
