Chain CA fails with 1.2.6

[benjy]

Hi,

Since 1.2.6 it seems the chain CA validation is broken.
Our infra is a bit particular as we have two differents CA
Server: CA1 -> subCA1 -> Sub-subCA1 -> server cert
Clients: CA2 -> subCA2 -> Sub-subCA2 -> client cert

The server includes CA2 in addition to the CA1 chain in its CA file to validate our clients.
The clients include CA1 in addition to the CA2 chain in its CA file as well.

All works for windows/linux/OSX/Android clients. But it fails for IOS since 1.2.6 (and maybe 1.2.5), it was working before though.

The server log shows that if fails to check the client chain:

VERIFY ERROR: depth=0, error=unable to get local issuer certificate: OU=OpenVPN-Mobile, CN=xxx

I tried different combination to include in the client CA but it never manages to get the local issuer.

There is a thread here: ​https://forums.openvpn.net/viewtopic.php?f=36&t=25674

With the help of ordex, we've identified that the problem comes from mbed TLS as the same issue occurs with mbed TLS on linux but not with openssl.

Thanks,
Ben

[Antonio Quartulli]

Thanks for the report.
It would be interesting to understand why mbedTLS is failing this case..there might be a reason behind (or might not). The error message points to something like "I can't find the CA to validate this client certificate". I wonder if by pushing multiple CAs mbedTLS is actually not storing them all...(just a rough and wild guess here).

[Antonio Quartulli]

switching the issue to OpenVPN community edition, so that a broader audience can consider it. (we verified it is not a problem in the iOS-only code)

[benjy]

OK, so to add a note, the issue comes from having two chains.
If I provide a certificate generated from Sub-subCA1 (SHA1) in my scenario (instead of Sub-subCA2) the client connects properly with mbedtls 2.6

[Gert Döring]

so what shall we do about this? If nobody is interested on working on this, we might as well close it.