Hi, I would like to have my understanding of the following issue confirmed:
Given a two-level CA where the different generations of Root cross-sign each other, the verification of an end-entity certificate fails with OpenSSL 1.1.1 - "path length constraint exceeded". With OpenSSL 1.0.2 the same verify succeeds. All Root CA certificates have Basic Constraints CA:TRUE, pathlen:1. The Sub CA certificate has pathlen:0. A) Issuer: CN=Root CA, serialNumber=1 Subject: CN=Root CA, serialNumber=1 B) Issuer: CN=Root CA, serialNumber=2 Subject: CN=Root CA, serialNumber=2 C) Issuer: CN=Root CA, serialNumber=1 Subject: CN=Root CA, serialNumber=2 D) Issuer: CN=Root CA, serialNumber=2 Subject: CN=Sub CA, serialNumber=2 E) Issuer: CN=Sub CA, serialNumber=2 Subject: Some end entity With a CAfile containing D, C, B, A in that order the verify of E fails. If I remove the cross certificate C then the verify succeeds. I believe OpenSSL 1.1.1 is building a chain of depth 3 (D - C - A) and so pathlen:1 of A is violated. Without the cross certificate the chain is only depth 2 (D - B). Is my understanding of the reason for this failure correct? Why is OpenSSL 1.0.2 verifying successfully? Does it not check the path length constraint or is it actually picking the depth 2 chain instead of the depth 3? Regards, Andrew.
