id summary reporter owner description type status priority milestone component version severity resolution keywords cc 1005 Chain CA fails with 1.2.6 benjy "Hi, Since 1.2.6 it seems the chain CA validation is broken. Our infra is a bit particular as we have two differents CA Server: CA1 -> subCA1 -> Sub-subCA1 -> server cert Clients: CA2 -> subCA2 -> Sub-subCA2 -> client cert The server includes CA2 in addition to the CA1 chain in its CA file to validate our clients. The clients include CA1 in addition to the CA2 chain in its CA file as well. All works for windows/linux/OSX/Android clients. But it fails for IOS since 1.2.6 (and maybe 1.2.5), it was working before though. The server log shows that if fails to check the client chain: {{{ VERIFY ERROR: depth=0, error=unable to get local issuer certificate: OU=OpenVPN-Mobile, CN=xxx }}} I tried different combination to include in the client CA but it never manages to get the local issuer. There is a thread here: https://forums.openvpn.net/viewtopic.php?f=36&t=25674 With the help of ordex, we've identified that the problem comes from mbed TLS as the same issue occurs with mbed TLS on linux but not with openssl. Thanks, Ben" Bug / Defect new major Crypto OpenVPN 2.4.4 (Community Ed) Not set (select this one, unless your'e a OpenVPN developer) Steffan Karger Antonio Quartulli