OpenSSL is the way forward and is required for certain features like PKCS11.
OpenSSL is more strict about verifying certificates. The self-signed (root) must be trusted, not merely the issuer of the leaf cert.
Critically, OpenZiti network admins must ensure that Ziti's CA bundle contains only root certs from CAs under their control (not third parties like LetsEncrypt, not intermediate issuers), and all server certs must be presented along with any intermediate issuer certs in the trust chain so they can be verified by trusting only the root.
OpenSSL is the way forward and is required for certain features like PKCS11.
OpenSSL is more strict about verifying certificates. The self-signed (root) must be trusted, not merely the issuer of the leaf cert.
Critically, OpenZiti network admins must ensure that Ziti's CA bundle contains only root certs from CAs under their control (not third parties like LetsEncrypt, not intermediate issuers), and all server certs must be presented along with any intermediate issuer certs in the trust chain so they can be verified by trusting only the root.