Opened 3 years ago
Last modified 3 years ago
#1366 new Feature Wish
Allow TLS partial chains in OpenSSL
Reported by: | elizabethdev | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | release 2.6 |
Component: | Certificates | Version: | |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | Steffan Karger, plaisthos, tct |
Description
When using a non-chained intermediate CA cert as the trusted CA, OpenVPN fails with an OpenSSL "certificate verify failed" error. That's because, by default, OpenSSL doesn't allow intermediate CAs to be trust anchors, only root CAs (even when both the server and client certificates are issued by the subCA).
This can be prevented using the X509_V_FLAG_PARTIAL_CHAIN flag, added in OpenSSL 1.1.0. (-partial_chain param on the OpenSSL CLI)
It would be a good feature having the option to use that flag in OpenVPN, enabling intermediate CAs to be used as certificate issuers with no need to chain their root CA.
Change History (2)
comment:1 Changed 3 years ago by
Cc: | Steffan Karger plaisthos added |
---|---|
Milestone: | → release 2.6 |
comment:2 Changed 3 years ago by
Cc: | tct added |
---|