Opened 3 months ago

Last modified 2 months ago

#1366 new Feature Wish

Allow TLS partial chains in OpenSSL

Reported by: elizabethdev Owned by:
Priority: major Milestone: release 2.6
Component: Certificates Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger, plaisthos, tincantech

Description

When using a non-chained intermediate CA cert as the trusted CA, OpenVPN fails with an OpenSSL "certificate verify failed" error. That's because, by default, OpenSSL doesn't allow intermediate CAs to be trust anchors, only root CAs (even when both the server and client certificates are issued by the subCA).

This can be prevented using the X509_V_FLAG_PARTIAL_CHAIN flag, added in OpenSSL 1.1.0. (-partial_chain param on the OpenSSL CLI)

It would be a good feature having the option to use that flag in OpenVPN, enabling intermediate CAs to be used as certificate issuers with no need to chain their root CA.

Change History (2)

comment:1 Changed 2 months ago by Gert Döring

Cc: Steffan Karger plaisthos added
Milestone: release 2.6

comment:2 Changed 2 months ago by tincantech

Cc: tincantech added
Note: See TracTickets for help on using tickets.