Opened 3 years ago
Last modified 3 years ago
#1366 new Feature Wish
Allow TLS partial chains in OpenSSL
| Reported by: | elizabethdev | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | release 2.6 |
| Component: | Certificates | Version: | |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: | Steffan Karger, plaisthos, tct |
Description
When using a non-chained intermediate CA cert as the trusted CA, OpenVPN fails with an OpenSSL "certificate verify failed" error. That's because, by default, OpenSSL doesn't allow intermediate CAs to be trust anchors, only root CAs (even when both the server and client certificates are issued by the subCA).
This can be prevented using the X509_V_FLAG_PARTIAL_CHAIN flag, added in OpenSSL 1.1.0. (-partial_chain param on the OpenSSL CLI)
It would be a good feature having the option to use that flag in OpenVPN, enabling intermediate CAs to be used as certificate issuers with no need to chain their root CA.
Change History (2)
comment:1 Changed 3 years ago by
| Cc: | Steffan Karger plaisthos added |
|---|---|
| Milestone: | → release 2.6 |
comment:2 Changed 3 years ago by
| Cc: | tct added |
|---|
Note: See
TracTickets for help on using
tickets.
