Hi
I'm facing this problem as well, though in a different context: OCSP stapling. Everything looks good without OCSP stapling: my ssl_certificate file contain my domain (wildcard) cert from AlphaSSL, that doesn't require any intermediate cert, so the domain cert is the only one in that file.
However to enable OCSP stapling, I have to specify the full cert chain in ssl_trusted_certificate. I do this by including first GlobalSign root, then alpha SSL intermediate. This works fine, and OCSP stapling is operating normally.
But as a side effect, now clients also receives the full chain of certificates. I think, from your response above, that openssl auto chain building is responsible for that (you also made the same reply in http://forum.nginx.org/read.php?2,248153,248168#msg-248168)
1 - You say: "It shouldn't happen as long as there is at least one intermediate cert in ssl_certificate file". That's precisely what I want to avoid, include the while chain in the ssl_certificate file. Only adding alphassl intermediate cert in ssl_certificate (ie NO adding GlobalSign root cert) results in an error #20)
2 - Googling a bit more, and totally shooting in the dark here, I also found that Openssl has an SSL_MODE_NO_AUTO_CHAIN flag that "...Allow an application to disable the automatic SSL chain building....". Isn't it something you could use to disable the auto chain building? (originated from http://t93518.encryption-openssl-development.encryptiontalk.info/ssl-server-root-certs-and-client-auth-t93518.html I think)
Thanks for any input anyway!
Cheers