Set (or allow to be configured with) X509_V_FLAG_PARTIAL_CHAIN for openssl

[grs]

From https://docs.openssl.org/1.1.1/man3/X509_VERIFY_PARAM_set_flags/#verification-flags

The X509_V_FLAG_PARTIAL_CHAIN flag causes intermediate certificates in the trust store to be treated as trust-anchors, in the same way as the self-signed root CA certificates. This makes it possible to trust certificates issued by an intermediate CA without having to trust its ancestor root CA. With OpenSSL 1.1.0 and later and set, chain construction stops as soon as the first certificate from the trust store is added to the chain, whether that certificate is a self-signed "root" certificate or a not self-signed intermediate certificate. Thus, when an intermediate certificate is found in the trust store, the verified chain passed to callbacks may be shorter than it otherwise would be without the X509_V_FLAG_PARTIAL_CHAIN flag.

[cliffjansen]

It appears to me that Proton needs to be enhanced to support the flag or even make it the default behaviour, which appears to be fairly normal in other TLS implementations.

In the mean time, I believe you can "mark" an intermediate CA certificate to be treated as a trusted root anchor by OpenSSL. You can do this at the time you create your trust store and do not need access to any of the private keys for the rootCA or intermediateCA.

It may be possible to just substitute this "marked" certificate where you would otherwise insert an externally provided CA.

If I use the generated intermedca-certificate.pem as the CA file to verify a server using Proton, I get the expected failure.

If I use the "marked" version, intermedca_trust_anchor.pem, it succeeds.

I have not tested further. Presumably you would also have to add "-addtrust clientAuth" if using the CA for mutual TLS.
make_ica.txt