TLS fails on CA verification with e.g. Let's Encrypt certificates

[keeshux]

Logic doesn’t seem 100% equivalent in #213. Some servers (Synology, pfSense) are failing on CA verification with TunnelKit error 201.

[keeshux]

This was incorrectly closed as it's not related to OpenSSL/BoringSSL.

[keeshux]

TLS peer verification failure is due to X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT. The manpage reads:

X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate

The issuer certificate of a locally looked up certificate could not be found. This normally means the list of trusted certificates is not complete. To allow any certificate (not only a self-signed one) in the trust store to terminate the chain the X509_V_FLAG_PARTIAL_CHAIN flag may be set.

It turns out that an user in particular was using a Let's Encrypt certificate, which fits exactly what's thoroughly described in this comment:

openssl/openssl#7871 (comment)

In fact, setting the flag resolves the issue:

Without X509_V_FLAG_PARTIAL_CHAIN and using lets-encypt-r3.pem, the connection would fail because Let's Encrypt R3 is an intermediate CA. It used to be signed by the IdentTrust root, but now it is signed by the ISRG root.

[keeshux]

The user's <ca> has both the CA and the issuer in the same file. SSL_CTX_load_verify_locations works properly with that, perhaps this way OpenSSL can re-read the .pem multiple times with different purposes (CA and issuer).

[keeshux]

More on this here:

The X509_V_FLAG_PARTIAL_CHAIN flag causes non-self-signed certificates in the trust store to be treated as trust anchors, in the same way as self-signed root CA certificates. This makes it possible to trust self-issued certificates as well as certificates issued by an intermediate CA without having to trust their ancestor root CA. With OpenSSL 1.1.0 and later and X509_V_FLAG_PARTIAL_CHAIN set, chain construction stops as soon as the first certificate contained in the trust store is added to the chain, whether that certificate is a self-signed "root" certificate or a not self-signed "intermediate" or self-issued certificate. Thus, when an intermediate certificate is found in the trust store, the verified chain passed to callbacks may be shorter than it otherwise would be without the X509_V_FLAG_PARTIAL_CHAIN flag.