Skip to content

Support partial certificate chain authentication#538

Merged
michalvasko merged 5 commits intoCESNET:develfrom
Roytak:devel
Jun 9, 2025
Merged

Support partial certificate chain authentication#538
michalvasko merged 5 commits intoCESNET:develfrom
Roytak:devel

Conversation

@Roytak
Copy link
Copy Markdown
Collaborator

@Roytak Roytak commented Jun 9, 2025

This PR adds support for the following scenarios:
server <- intermediateCA <- rootCA & client <- intermediateCA <- rootCA

With this PR, the server gets authenticated by the client even if only intermediateCA or rootCA are configured. Works the same way for the server.

This is not supported by MbedTLS for now.

Fixes CESNET/netopeer2#1735

Roytak added 5 commits June 9, 2025 10:25
@Roytak
session openssl BUGFIX misleading error output
eefc996 
Fixes the output of the following:
"[ERR]: Client certificate error (self-signed certificate in certificate
chain)." even on successful authentication.
@Roytak
test tls UPDATE add no ca/ee tests
bb58de8
@Roytak
session openssl BUGFIX enable auto chain building
6f9fa81
@Roytak
session openssl UPDATE enable partial chains
3e39444 
With partial chains enabled the peer can be authenticated even if e.g.
there is a chain client <- intermediateCA <- rootCA and only rootCA is
configured on the server.

Fixes CESNET/netopeer2#1735
@Roytak
test tls UPDATE add intermediate CA tests & certs
c32e911
@michalvasko michalvasko merged commit d200a06 into CESNET:devel Jun 9, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michalvasko michalvasko michalvasko approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Roytak @michalvasko