Opened 3 years ago

Last modified 3 years ago

#1366 new Feature Wish

Allow TLS partial chains in OpenSSL

Reported by: elizabethdev Owned by:
Priority: major Milestone: release 2.6
Component: Certificates Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger, plaisthos, tct


When using a non-chained intermediate CA cert as the trusted CA, OpenVPN fails with an OpenSSL "certificate verify failed" error. That's because, by default, OpenSSL doesn't allow intermediate CAs to be trust anchors, only root CAs (even when both the server and client certificates are issued by the subCA).

This can be prevented using the X509_V_FLAG_PARTIAL_CHAIN flag, added in OpenSSL 1.1.0. (-partial_chain param on the OpenSSL CLI)

It would be a good feature having the option to use that flag in OpenVPN, enabling intermediate CAs to be used as certificate issuers with no need to chain their root CA.

Change History (2)

comment:1 Changed 3 years ago by Gert Döring

Cc: Steffan Karger plaisthos added
Milestone: release 2.6

comment:2 Changed 3 years ago by tct

Cc: tct added
Note: See TracTickets for help on using tickets.