ssl, public_key: Add new option partial_chain

Check that the certificate chain ends with a trusted ROOT CA e.i. a
self-signed certificate, but provide an option partial_chain to
enable the application to define an intermediat CA as trusted.

TLS RFC says:

"unknown_ca
      A valid certificate chain or partial chain was received, but the
      certificate was not accepted because the CA certificate could not
      be located or couldn't be matched with a known, trusted CA.  This
      message is always fatal."

and also states:

"certificate_list
      This is a sequence (chain) of certificates.  The sender's
      certificate MUST come first in the list.  Each following
      certificate MUST directly certify the one preceding it.  Because
      certificate validation requires that root keys be distributed
      independently, the self-signed certificate that specifies the root
      certificate authority MAY be omitted from the chain, under the
      assumption that the remote end must already possess it in order to
      validate it in any case."

X509 RFC says:
   "The selection of a trust anchor is a matter of policy: it could be
   the top CA in a hierarchical PKI, the CA that issued the verifier's
   own certificate(s), or any other CA in a network PKI. The path
   validation procedure is the same regardless of the choice of trust
   anchor.  In addition, different applications may rely on different
   trust anchors, or may accept paths that begin with any of a set of
   trust anchors."

9 files changed, 335 insertions, 79 deletions

diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
index 88b1a9248e..c1ea33f735 100644
--- a/lib/public_key/doc/src/public_key.xml
+++ b/lib/public_key/doc/src/public_key.xml
@@ -431,10 +431,12 @@
     <name>pkix_path_validation(TrustedCert, CertChain, Options) -> {ok, {PublicKeyInfo, PolicyTree}} | {error, {bad_cert, Reason}} </name>
     <fsummary> Performs a basic path validation according to RFC 5280.</fsummary>
      <type>
-       <v> TrustedCert =  #'OTPCertificate'{} | der_encode() | unknown_ca | selfsigned_peer  </v>
-       <d>Normally a trusted certificate but it can also be one of the path validation
-       errors <c>unknown_ca </c> or <c>selfsigned_peer </c> that can be discovered while
-       constructing the input to this function and that should be run through the <c>verify_fun</c>.</d>
+       <v> TrustedCert =  #'OTPCertificate'{} | der_encode() | atom()  </v>
+       <d>Normally a trusted certificate but it can also be a path validation
+       error that can be discovered while
+       constructing the input to this function and that should be run through the <c>verify_fun</c>.
+       For example <c>unknown_ca </c> or <c>selfsigned_peer </c>
+       </d>
        <v> CertChain = [der_encode()]</v>
        <d>A list of DER encoded certificates in trust order ending with the peer certificate.</d>
        <v> Options = proplists:proplist()</v>
@@ -442,8 +444,8 @@
        rsa_public_key() | integer(), 'NULL' | 'Dss-Parms'{}}</v>
        <v> PolicyTree = term() </v>
        <d>At the moment this will always be an empty list as Policies are not currently supported</d>
-       <v> Reason = cert_expired | invalid_issuer | invalid_signature | unknown_ca |
-       selfsigned_peer | name_not_permitted | missing_basic_constraint | invalid_key_usage | crl_reason()
+       <v> Reason = cert_expired | invalid_issuer | invalid_signature | name_not_permitted |
+       missing_basic_constraint | invalid_key_usage | {revoked, crl_reason()} | atom()
        </v>
      </type>
      <desc>
@@ -464,7 +466,7 @@
 
 	  <code>
 fun(OtpCert :: #'OTPCertificate'{},
-    Event :: {bad_cert, Reason :: atom()} |
+    Event :: {bad_cert, Reason :: atom() | {revoked, atom()}} |
              {extension, #'Extension'{}},
     InitialUserState :: term()) ->
 	{valid, UserState :: term()} |
@@ -493,6 +495,35 @@ fun(OtpCert :: #'OTPCertificate'{},
 	  on.
 	</item>
       </taglist>
+
+      <p> Possible reasons for a bad certificate are: </p>
+      <taglist>
+	<tag>cert_expired</tag>
+	<item>The certificate is no longer valid as its expiration date has passed.</item>
+
+	<tag>invalid_issuer</tag>
+	<item>The certificate issuer name does not match the name of the issuer certificate in the chain.</item>
+
+	<tag>invalid_signature</tag>
+	<item>The certificate was not signed by its issuer certificate in the chain.</item>
+
+	<tag>name_not_permitted</tag>
+	<item>Invalid Subject Alternative Name extension.</item>
+
+	<tag>missing_basic_constraint</tag>
+	<item>Certificate, required to have the basic constraints extension, does not have
+	a basic constraints extension.</item>
+
+	<tag>invalid_key_usage</tag>
+	<item>Certificate key is used in an invalid way according to the key usage extension.</item>
+
+	<tag>{revoked, crl_reason()}</tag>
+	<item>Certificate has been revoked.</item>
+
+	<tag>atom()</tag>
+	<item>Application specific error reason that should be checked by the verify_fun</item>
+      </taglist>
+
     </desc>
    </func>
 
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index ffee4bd1af..f14d0b8bb7 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -226,7 +226,7 @@
 	<p>The verification fun should be defined as:</p>
 
 	<code>
-fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
+fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revoked, atom()}} |
 	     {extension, #'Extension'{}}, InitialUserState :: term()) ->
 	{valid, UserState :: term()} | {valid_peer, UserState :: term()} |
 	{fail, Reason :: term()} | {unknown, UserState :: term()}.
@@ -252,7 +252,7 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
 	always returns {valid, UserState}, the TLS/SSL handshake will
 	not be terminated with respect to verification failures and
 	the connection will be established. If called with an
-	extension unknown to the user application the return value
+	extension unknown to the user application, the return value
 	{unknown, UserState} should be used.</p>
 
 	<p>The default verify_fun option in verify_peer mode:</p>
@@ -283,9 +283,29 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
  end, []}
       </code>
 
-<p>Possible path validation errors: </p>
+      <p>Possible path validation errors are given on the form {bad_cert, Reason} where Reason is:</p>
 
-<p> {bad_cert, cert_expired}, {bad_cert, invalid_issuer}, {bad_cert, invalid_signature}, {bad_cert, unknown_ca},{bad_cert, selfsigned_peer}, {bad_cert, name_not_permitted}, {bad_cert, missing_basic_constraint}, {bad_cert, invalid_key_usage}</p>
+      <taglist>
+	<tag>unknown_ca</tag>
+	<item>No trusted CA was found in the trusted store. The trusted CA is
+	normally a so called ROOT CA that is a self-signed cert. Trust may
+	be claimed for an intermediat CA (trusted anchor does not have to be self signed
+	according to X-509) by using the option <c>partial_chain</c></item>
+
+	<tag>selfsigned_peer</tag>
+	<item>The chain consisted only of one self-signed certificate.</item>
+
+	<tag>PKIX X-509-path validation error</tag>
+	<item> Possible such reasons see <seealso
+	marker="public_key#pkix_path_validation-3"> public_key:pkix_path_validation/3 </seealso></item>
+      </taglist>
+
+      </item>
+
+      <tag>{partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} | unknown_ca </tag>
+      <item>
+	Claim an intermediat CA in the chain as trusted. TLS will then perform the public_key:pkix_path_validation/3
+	with the selected CA as trusted anchor and the rest of the chain.
       </item>
 
       <tag>{versions, [protocol()]}</tag>
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index d741fa63fb..b4bea25942 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -569,21 +569,24 @@ handle_options(Opts0, #ssl_options{protocol = Protocol, cacerts = CaCerts0,
 				   cacertfile = CaCertFile0} = InheritedSslOpts) ->
     RecordCB = record_cb(Protocol),
     CaCerts = handle_option(cacerts, Opts0, CaCerts0),
-    {Verify, FailIfNoPeerCert, CaCertDefault, VerifyFun} = handle_verify_options(Opts0, CaCerts),
+    {Verify, FailIfNoPeerCert, CaCertDefault, VerifyFun, PartialChainHanlder} = handle_verify_options(Opts0, CaCerts),
     CaCertFile = case proplists:get_value(cacertfile, Opts0, CaCertFile0) of
 		     undefined ->
 			 CaCertDefault;
 		     CAFile ->
 			 CAFile
 		 end,
+
     NewVerifyOpts = InheritedSslOpts#ssl_options{cacerts = CaCerts,
 						 cacertfile = CaCertFile,
 						 verify = Verify,
 						 verify_fun = VerifyFun,
+						 partial_chain = PartialChainHanlder,
 						 fail_if_no_peer_cert = FailIfNoPeerCert},
     SslOpts1 = lists:foldl(fun(Key, PropList) ->
 				   proplists:delete(Key, PropList)
-			   end, Opts0, [cacerts, cacertfile, verify, verify_fun, fail_if_no_peer_cert]),
+			   end, Opts0, [cacerts, cacertfile, verify, verify_fun, partial_chain,
+					fail_if_no_peer_cert]),
     case handle_option(versions, SslOpts1, []) of
 	[] ->
 	    new_ssl_options(SslOpts1, NewVerifyOpts, RecordCB);
@@ -603,10 +606,10 @@ handle_options(Opts0) ->
     ReuseSessionFun = fun(_, _, _, _) -> true end,
     CaCerts = handle_option(cacerts, Opts, undefined),
 
-    {Verify, FailIfNoPeerCert, CaCertDefault, VerifyFun} = handle_verify_options(Opts, CaCerts),
+    {Verify, FailIfNoPeerCert, CaCertDefault, VerifyFun, PartialChainHanlder} =
+	handle_verify_options(Opts, CaCerts),
     
     CertFile = handle_option(certfile, Opts, <<>>),
-    
     RecordCb = record_cb(Opts),
     
     Versions = case handle_option(versions, Opts, []) of
@@ -620,6 +623,7 @@ handle_options(Opts0) ->
 		    versions   = Versions,
 		    verify     = validate_option(verify, Verify),
 		    verify_fun = VerifyFun,
+		    partial_chain = PartialChainHanlder,
 		    fail_if_no_peer_cert = FailIfNoPeerCert,
 		    verify_client_once =  handle_option(verify_client_once, Opts, false),
 		    depth      = handle_option(depth,  Opts, 1),
@@ -656,7 +660,7 @@ handle_options(Opts0) ->
 		   },
 
     CbInfo  = proplists:get_value(cb_info, Opts, {gen_tcp, tcp, tcp_closed, tcp_error}),
-    SslOptions = [protocol, versions, verify, verify_fun,
+    SslOptions = [protocol, versions, verify, verify_fun, partial_chain,
 		  fail_if_no_peer_cert, verify_client_once,
 		  depth, cert, certfile, key, keyfile,
 		  password, cacerts, cacertfile, dh, dhfile,
@@ -708,6 +712,8 @@ validate_option(verify_fun, Fun) when is_function(Fun) ->
      end, Fun};
 validate_option(verify_fun, {Fun, _} = Value) when is_function(Fun) ->
    Value;
+validate_option(partial_chain, Value) when is_function(Value) ->
+    Value;
 validate_option(fail_if_no_peer_cert, Value) when is_boolean(Value) ->
     Value;
 validate_option(verify_client_once, Value) when is_boolean(Value) ->
@@ -1147,25 +1153,32 @@ handle_verify_options(Opts, CaCerts) ->
 
     UserFailIfNoPeerCert = handle_option(fail_if_no_peer_cert, Opts, false),
     UserVerifyFun = handle_option(verify_fun, Opts, undefined),
-
     
+    PartialChainHanlder = handle_option(partial_chain, Opts,
+					fun(_) -> unknown_ca end),
+
     %% Handle 0, 1, 2 for backwards compatibility
     case proplists:get_value(verify, Opts, verify_none) of
 	0 ->
 	    {verify_none, false,
-		 ca_cert_default(verify_none, VerifyNoneFun, CaCerts), VerifyNoneFun};
+		 ca_cert_default(verify_none, VerifyNoneFun, CaCerts),
+	     VerifyNoneFun, PartialChainHanlder};
 	1  ->
 	    {verify_peer, false,
-	     ca_cert_default(verify_peer, UserVerifyFun, CaCerts), UserVerifyFun};
+	     ca_cert_default(verify_peer, UserVerifyFun, CaCerts),
+	     UserVerifyFun, PartialChainHanlder};
 	2 ->
 	    {verify_peer, true,
-	     ca_cert_default(verify_peer, UserVerifyFun, CaCerts), UserVerifyFun};
-	    verify_none ->
+	     ca_cert_default(verify_peer, UserVerifyFun, CaCerts),
+	     UserVerifyFun, PartialChainHanlder};
+	verify_none ->
 	    {verify_none, false,
-	     ca_cert_default(verify_none, VerifyNoneFun, CaCerts), VerifyNoneFun};
+	     ca_cert_default(verify_none, VerifyNoneFun, CaCerts),
+	     VerifyNoneFun, PartialChainHanlder};
 	verify_peer ->
 	    {verify_peer, UserFailIfNoPeerCert,
-	     ca_cert_default(verify_peer, UserVerifyFun, CaCerts), UserVerifyFun};
+	     ca_cert_default(verify_peer, UserVerifyFun, CaCerts),
+	     UserVerifyFun, PartialChainHanlder};
 	Value ->
 	    throw({error, {options, {verify, Value}}})
     end.
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 53366b060c..9c0ed181fe 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -30,7 +30,7 @@
 -include("ssl_internal.hrl").
 -include_lib("public_key/include/public_key.hrl"). 
 
--export([trusted_cert_and_path/3,
+-export([trusted_cert_and_path/4,
 	 certificate_chain/3,
 	 file_to_certificats/2,
 	 validate_extension/3,
@@ -46,14 +46,14 @@
 %%====================================================================
 
 %%--------------------------------------------------------------------
--spec trusted_cert_and_path([der_cert()], db_handle(), certdb_ref()) ->
+-spec trusted_cert_and_path([der_cert()], db_handle(), certdb_ref(), fun()) ->
 				   {der_cert() | unknown_ca, [der_cert()]}.
 %%
 %% Description: Extracts the root cert (if not presents tries to 
 %% look it up, if not found {bad_cert, unknown_ca} will be added verification
 %% errors. Returns {RootCert, Path, VerifyErrors}
 %%--------------------------------------------------------------------
-trusted_cert_and_path(CertChain, CertDbHandle, CertDbRef) ->
+trusted_cert_and_path(CertChain, CertDbHandle, CertDbRef, PartialChainHandler) ->
     Path = [Cert | _] = lists:reverse(CertChain),
     OtpCert = public_key:pkix_decode_cert(Cert, otp),
     SignedAndIssuerID =
@@ -62,32 +62,23 @@ trusted_cert_and_path(CertChain, CertDbHandle, CertDbRef) ->
 		{ok, IssuerId} = public_key:pkix_issuer_id(OtpCert, self),
 		{self, IssuerId};
 	    false ->
-		case public_key:pkix_issuer_id(OtpCert, other) of
-		    {ok, IssuerId} ->
-			{other, IssuerId};
-		    {error, issuer_not_found} ->
-			case find_issuer(OtpCert, CertDbHandle) of
-			    {ok, IssuerId} ->
-				{other, IssuerId};
-			    Other ->
-				Other
-			end
-		end
+		other_issuer(OtpCert, CertDbHandle)
 	end,
     
     case SignedAndIssuerID of
 	{error, issuer_not_found} ->
 	    %% The root CA was not sent and can not be found.
-	    {unknown_ca, Path};
+	    handle_incomplete_chain(Path, PartialChainHandler);
 	{self, _} when length(Path) == 1 ->
 	    {selfsigned_peer, Path};
 	{_ ,{SerialNr, Issuer}} ->
 	    case ssl_manager:lookup_trusted_cert(CertDbHandle, CertDbRef, SerialNr, Issuer) of
-		{ok, {BinCert,_}} ->
-		    {BinCert, Path};
+		{ok, Trusted} ->
+		    %% Trusted must be selfsigned or it is an incomplete chain
+		    handle_path(Trusted, Path, PartialChainHandler);
 		_ ->
 		    %% Root CA could not be verified
-		    {unknown_ca, Path}
+		    handle_incomplete_chain(Path, PartialChainHandler)
 	    end
     end.
 
@@ -222,28 +213,27 @@ certificate_chain(CertDbHandle, CertsDbRef, Chain, SerialNr, Issuer, _SelfSigned
 	_ ->
 	    %% The trusted cert may be obmitted from the chain as the
 	    %% counter part needs to have it anyway to be able to
-	    %% verify it.  This will be the normal case for servers
-	    %% that does not verify the clients and hence have not
-	    %% specified the cacertfile.
+	    %% verify it.
 	    {ok, lists:reverse(Chain)}		      
     end.
 
 find_issuer(OtpCert, CertDbHandle) ->
-    IsIssuerFun = fun({_Key, {_Der, #'OTPCertificate'{} = ErlCertCandidate}}, Acc) ->
-			  case public_key:pkix_is_issuer(OtpCert, ErlCertCandidate) of
-			      true ->
-				  case verify_cert_signer(OtpCert, ErlCertCandidate#'OTPCertificate'.tbsCertificate) of
-				      true ->
-					  throw(public_key:pkix_issuer_id(ErlCertCandidate, self));
-				      false ->
-					  Acc
-				  end;
-			      false ->
-				  Acc
-			  end;
-		     (_, Acc) ->
-			  Acc
-		  end,
+    IsIssuerFun =
+	fun({_Key, {_Der, #'OTPCertificate'{} = ErlCertCandidate}}, Acc) ->
+		case public_key:pkix_is_issuer(OtpCert, ErlCertCandidate) of
+		    true ->
+			case verify_cert_signer(OtpCert, ErlCertCandidate#'OTPCertificate'.tbsCertificate) of
+			    true ->
+				throw(public_key:pkix_issuer_id(ErlCertCandidate, self));
+			    false ->
+				Acc
+			end;
+		    false ->
+			Acc
+		end;
+	   (_, Acc) ->
+		Acc
+	end,
 
     try ssl_pkix_db:foldl(IsIssuerFun, issuer_not_found, CertDbHandle) of
 	issuer_not_found ->
@@ -275,3 +265,41 @@ public_key(#'OTPSubjectPublicKeyInfo'{algorithm = #'PublicKeyAlgorithm'{algorith
 									parameters = {params, Params}},
 				      subjectPublicKey = Key}) ->
     {Key, Params}.
+
+other_issuer(OtpCert, CertDbHandle) ->
+    case public_key:pkix_issuer_id(OtpCert, other) of
+	{ok, IssuerId} ->
+	    {other, IssuerId};
+	{error, issuer_not_found} ->
+	    case find_issuer(OtpCert, CertDbHandle) of
+		{ok, IssuerId} ->
+		    {other, IssuerId};
+		Other ->
+		    Other
+	    end
+    end.
+
+handle_path({BinCert, OTPCert}, Path, PartialChainHandler) ->
+    case public_key:pkix_is_self_signed(OTPCert) of
+	true ->
+	    {BinCert, Path};
+	false ->
+	   handle_incomplete_chain(Path, PartialChainHandler)
+    end.
+
+handle_incomplete_chain(Chain, Fun) ->
+    case catch Fun(Chain) of
+	{trusted_ca, DerCert} ->
+	    new_trusteded_chain(DerCert, Chain);
+	unknown_ca = Error ->
+	    {Error, Chain};
+	_  ->
+	    {unknown_ca, Chain}
+    end.
+
+new_trusteded_chain(DerCert, [DerCert | Chain]) ->
+    {DerCert, Chain};
+new_trusteded_chain(DerCert, [_ | Rest]) ->
+    new_trusteded_chain(DerCert, Rest);
+new_trusteded_chain(_, []) ->
+    unknown_ca.
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 4ac4e81d9e..8ff9913cee 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -414,7 +414,9 @@ certify(#certificate{} = Cert,
 	       ssl_options = Opts} = State, Connection) ->
     case ssl_handshake:certify(Cert, CertDbHandle, CertDbRef, Opts#ssl_options.depth,
 			       Opts#ssl_options.verify,
-			       Opts#ssl_options.verify_fun, Role) of
+			       Opts#ssl_options.verify_fun,
+			       Opts#ssl_options.partial_chain,
+			       Role) of
         {PeerCert, PublicKeyInfo} ->
 	    handle_peer_cert(Role, PeerCert, PublicKeyInfo,
 			     State#state{client_certificate_requested = false}, Connection);
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 94ffd180c5..22673e46e2 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -49,7 +49,7 @@
 	 finished/5,  next_protocol/1]).
 
 %% Handle handshake messages
--export([certify/7, client_certificate_verify/6, certificate_verify/6, verify_signature/5,
+-export([certify/8, client_certificate_verify/6, certificate_verify/6, verify_signature/5,
 	 master_secret/5, server_key_exchange_hash/2, verify_connection/6,
 	 init_handshake_history/0, update_handshake_history/2, verify_server_key/5
 	]).
@@ -383,13 +383,13 @@ verify_signature(_Version, Hash, {HashAlgo, ecdsa}, Signature,
 
 %%--------------------------------------------------------------------
 -spec certify(#certificate{}, db_handle(), certdb_ref(), integer() | nolimit,
-	      verify_peer | verify_none, {fun(), term},
+	      verify_peer | verify_none, {fun(), term}, fun(),
 	      client | server) ->  {der_cert(), public_key_info()} | #alert{}.
 %%
 %% Description: Handles a certificate handshake message
 %%--------------------------------------------------------------------
 certify(#certificate{asn1_certificates = ASN1Certs}, CertDbHandle, CertDbRef,
-	MaxPathLen, _Verify, VerifyFunAndState, Role) ->
+	MaxPathLen, _Verify, VerifyFunAndState, PartialChain, Role) ->
     [PeerCert | _] = ASN1Certs,
 
     ValidationFunAndState =
@@ -421,7 +421,7 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbHandle, CertDbRef,
 
     try
 	{TrustedErlCert, CertPath}  =
-	    ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbHandle, CertDbRef),
+	    ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbHandle, CertDbRef, PartialChain),
 	case public_key:pkix_path_validation(TrustedErlCert,
 					      CertPath,
 					     [{max_path_length,
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index fd0d87bd5f..85724de4bd 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -74,6 +74,7 @@
 	  versions    :: [ssl_record:ssl_version()], %% ssl_record:atom_version() in API
 	  verify      :: verify_none | verify_peer,
 	  verify_fun,  %%:: fun(CertVerifyErrors::term()) -> boolean(),
+	  partial_chain       :: fun(),
 	  fail_if_no_peer_cert ::  boolean(),
 	  verify_client_once   ::  boolean(),
 	  %% fun(Extensions, State, Verify, AccError) ->  {Extensions, State, AccError}
diff --git a/lib/ssl/test/ssl_ECC_SUITE.erl b/lib/ssl/test/ssl_ECC_SUITE.erl
index 77e4c80bbe..3566a8a0a5 100644
--- a/lib/ssl/test/ssl_ECC_SUITE.erl
+++ b/lib/ssl/test/ssl_ECC_SUITE.erl
@@ -163,11 +163,11 @@ client_ecdh_server_ecdh(Config) when is_list(Config) ->
     
 client_ecdh_server_rsa(Config)  when is_list(Config) ->
     COpts =  ?config(client_ecdh_rsa_opts, Config),
-    SOpts = ?config(server_verification_opts, Config),
+    SOpts = ?config(server_ecdh_rsa_verify_opts, Config),
     basic_test(COpts, SOpts, Config).
   
 client_rsa_server_ecdh(Config)  when is_list(Config) ->
-    COpts =  ?config(client_verification_opts, Config),
+    COpts =  ?config(client_ecdh_rsa_opts, Config),
     SOpts = ?config(server_ecdh_rsa_verify_opts, Config),
     basic_test(COpts, SOpts, Config).
    
@@ -183,11 +183,11 @@ client_ecdsa_server_ecdsa(Config)  when is_list(Config) ->
 
 client_ecdsa_server_rsa(Config)  when is_list(Config) ->
     COpts =  ?config(client_ecdsa_opts, Config),
-    SOpts = ?config(server_verification_opts, Config),
+    SOpts = ?config(server_ecdsa_verify_opts, Config),
     basic_test(COpts, SOpts, Config).
 
 client_rsa_server_ecdsa(Config)  when is_list(Config) ->
-    COpts =  ?config(client_verification_opts, Config),
+    COpts =  ?config(client_ecdsa_opts, Config),
     SOpts = ?config(server_ecdsa_verify_opts, Config),
     basic_test(COpts, SOpts, Config).
 
diff --git a/lib/ssl/test/ssl_certificate_verify_SUITE.erl b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
index 14047c6e9c..3779b4d9f1 100644
--- a/lib/ssl/test/ssl_certificate_verify_SUITE.erl
+++ b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2012-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2012-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -58,6 +58,10 @@ tests() ->
      server_verify_none,
      server_require_peer_cert_ok,
      server_require_peer_cert_fail,
+     server_require_peer_cert_partial_chain,
+     server_require_peer_cert_allow_partial_chain,
+     server_require_peer_cert_do_not_allow_partial_chain,
+     server_require_peer_cert_partial_chain_fun_fail,
      verify_fun_always_run_client,
      verify_fun_always_run_server,
      cert_expired,
@@ -143,8 +147,8 @@ server_verify_none() ->
     [{doc,"Test server option verify_none"}].
 
 server_verify_none(Config) when is_list(Config) ->
-    ClientOpts =  ?config(client_opts, Config),
-    ServerOpts =  ?config(server_opts, Config),
+    ClientOpts =  ?config(client_verification_opts, Config),
+    ServerOpts =  ?config(server_verification_opts, Config),
     Active = ?config(active, Config),
     ReceiveFunction =  ?config(receive_function, Config),
 
@@ -261,6 +265,163 @@ server_require_peer_cert_fail(Config) when is_list(Config) ->
     end.
 
 %%--------------------------------------------------------------------
+
+server_require_peer_cert_partial_chain() ->
+    [{doc, "Client sends an incompleate chain, by default not acceptable."}].
+
+server_require_peer_cert_partial_chain(Config) when is_list(Config) ->
+    ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}
+		  | ?config(server_verification_opts, Config)],
+    ClientOpts = ?config(client_verification_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    {ok, ClientCAs} = file:read_file(proplists:get_value(cacertfile, ClientOpts)),
+    [{_,RootCA,_}, {_, _, _}] = public_key:pem_decode(ClientCAs),
+
+
+    Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
+					      {from, self()},
+					      {mfa, {ssl_test_lib, no_result, []}},
+					      {options, [{active, false} | ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+					      {host, Hostname},
+					      {from, self()},
+					      {mfa, {ssl_test_lib, no_result, []}},
+					      {options, [{active, false},
+							 {cacerts, [RootCA]} |
+							 proplists:delete(cacertfile, ClientOpts)]}]),
+    receive
+	{Server, {error, {tls_alert, "unknown ca"}}} ->
+	    receive
+		{Client, {error, {tls_alert, "unknown ca"}}} ->
+		    ok;
+		{Client, {error, closed}} ->
+		    ok
+	    end
+    end.
+%%--------------------------------------------------------------------
+server_require_peer_cert_allow_partial_chain() ->
+    [{doc, "Server trusts intermediat CA and accepts a partial chain. (partial_chain option)"}].
+
+server_require_peer_cert_allow_partial_chain(Config) when is_list(Config) ->
+    ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}
+		  | ?config(server_verification_opts, Config)],
+    ClientOpts = ?config(client_verification_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    {ok, ServerCAs} = file:read_file(proplists:get_value(cacertfile, ServerOpts)),
+    [{_,_,_}, {_, IntermidiateCA, _}] = public_key:pem_decode(ServerCAs),
+
+    PartialChain =  fun(CertChain) ->
+			    case lists:member(IntermidiateCA, CertChain) of
+				true ->
+				    {trusted_ca, IntermidiateCA};
+				false ->
+				    unknown_ca
+			    end
+		    end,
+
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, [{cacerts, [IntermidiateCA]},
+						   {partial_chain, PartialChain} |
+						   proplists:delete(cacertfile, ServerOpts)]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+					{from, self()},
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ClientOpts}]),
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
+
+ %%--------------------------------------------------------------------
+server_require_peer_cert_do_not_allow_partial_chain() ->
+    [{doc, "Server does not accept the chain sent by the client as ROOT CA is unkown, "
+      "and we do not choose to trust the intermediate CA. (partial_chain option)"}].
+
+server_require_peer_cert_do_not_allow_partial_chain(Config) when is_list(Config) ->
+    ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}
+		  | ?config(server_verification_opts, Config)],
+    ClientOpts = ?config(client_verification_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    {ok, ServerCAs} = file:read_file(proplists:get_value(cacertfile, ServerOpts)),
+    [{_,_,_}, {_, IntermidiateCA, _}] = public_key:pem_decode(ServerCAs),
+
+    PartialChain =  fun(_CertChain) ->
+			    unknown_ca
+		    end,
+
+    Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
+					       {from, self()},
+					       {mfa, {ssl_test_lib, no_result, []}},
+					      {options, [{cacerts, [IntermidiateCA]},
+							 {partial_chain, PartialChain} |
+							 proplists:delete(cacertfile, ServerOpts)]}]),
+
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+					      {host, Hostname},
+					      {from, self()},
+					      {mfa, {ssl_test_lib, no_result, []}},
+					      {options, ClientOpts}]),
+
+    receive
+	 {Server, {error, {tls_alert, "unknown ca"}}} ->
+	    receive
+		{Client, {error, {tls_alert, "unknown ca"}}} ->
+		    ok;
+		{Client, {error, closed}} ->
+		    ok
+	    end
+    end.
+
+ %%--------------------------------------------------------------------
+server_require_peer_cert_partial_chain_fun_fail() ->
+    [{doc, "If parial_chain fun crashes, treat it as if it returned unkown_ca"}].
+
+server_require_peer_cert_partial_chain_fun_fail(Config) when is_list(Config) ->
+    ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}
+		  | ?config(server_verification_opts, Config)],
+    ClientOpts = ?config(client_verification_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    {ok, ServerCAs} = file:read_file(proplists:get_value(cacertfile, ServerOpts)),
+    [{_,_,_}, {_, IntermidiateCA, _}] = public_key:pem_decode(ServerCAs),
+
+    PartialChain =  fun(_CertChain) ->
+			   ture = false %% crash on purpose
+		    end,
+
+    Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
+					       {from, self()},
+					       {mfa, {ssl_test_lib, no_result, []}},
+					      {options, [{cacerts, [IntermidiateCA]},
+							 {partial_chain, PartialChain} |
+							 proplists:delete(cacertfile, ServerOpts)]}]),
+
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+					      {host, Hostname},
+					      {from, self()},
+					      {mfa, {ssl_test_lib, no_result, []}},
+					      {options, ClientOpts}]),
+
+    receive
+	 {Server, {error, {tls_alert, "unknown ca"}}} ->
+	    receive
+		{Client, {error, {tls_alert, "unknown ca"}}} ->
+		    ok;
+		{Client, {error, closed}} ->
+		    ok
+	    end
+    end.
+
+%%--------------------------------------------------------------------
 verify_fun_always_run_client() ->
     [{doc,"Verify that user verify_fun is always run (for valid and valid_peer not only unknown_extension)"}].
 
@@ -632,7 +793,7 @@ no_authority_key_identifier() ->
 
 no_authority_key_identifier(Config) when is_list(Config) ->
     ClientOpts = ?config(client_verification_opts, Config),
-    ServerOpts = ?config(server_opts, Config),
+    ServerOpts = ?config(server_verification_opts, Config),
     PrivDir = ?config(priv_dir, Config),
 
     KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"),
@@ -804,7 +965,7 @@ unknown_server_ca_fail() ->
     [{doc,"Test that the client fails if the ca is unknown in verify_peer mode"}].
 unknown_server_ca_fail(Config) when is_list(Config) ->
     ClientOpts =  ?config(client_opts, Config),
-    ServerOpts =  ?config(server_opts, Config),
+    ServerOpts =  ?config(server_verification_opts, Config),
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
 					      {from, self()},
@@ -833,11 +994,11 @@ unknown_server_ca_fail(Config) when is_list(Config) ->
 						{verify_fun, FunAndState}
 						| ClientOpts]}]),
     receive
-	{Server, {error, {tls_alert, "unknown ca"}}} ->
+	{Client, {error, {tls_alert, "unknown ca"}}} ->
 	    receive
-		{Client, {error, {tls_alert, "unknown ca"}}} ->
+		{Server, {error, {tls_alert, "unknown ca"}}} ->
 		    ok;
-		{Client, {error, closed}} ->
+		{Server, {error, closed}} ->
 		    ok
 	    end
     end.
@@ -848,7 +1009,7 @@ unknown_server_ca_accept_verify_none() ->
     [{doc,"Test that the client succeds if the ca is unknown in verify_none mode"}].
 unknown_server_ca_accept_verify_none(Config) when is_list(Config) ->
     ClientOpts =  ?config(client_opts, Config),
-    ServerOpts =  ?config(server_opts, Config),
+    ServerOpts =  ?config(server_verification_opts, Config),
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
 					{from, self()},
@@ -873,7 +1034,7 @@ unknown_server_ca_accept_verify_peer() ->
      " with a verify_fun that accepts the unknown ca error"}].
 unknown_server_ca_accept_verify_peer(Config) when is_list(Config) ->
     ClientOpts =  ?config(client_opts, Config),
-    ServerOpts =  ?config(server_opts, Config),
+    ServerOpts =  ?config(server_verification_opts, Config),
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
 					{from, self()},
@@ -912,7 +1073,7 @@ unknown_server_ca_accept_backwardscompatibility() ->
     [{doc,"Test that old style verify_funs will work"}].
 unknown_server_ca_accept_backwardscompatibility(Config) when is_list(Config) ->
     ClientOpts =  ?config(client_opts, Config),
-    ServerOpts =  ?config(server_opts, Config),
+    ServerOpts =  ?config(server_verification_opts, Config),
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
 					{from, self()},