> On Apr 3, 2017, at 4:26 PM, Benjamin Kaduk <bkaduk@xxxxxxxxxx> wrote: > > There was a fair amount of churn in x509_vfy.c with the inclusion > of the DANE stuff and whatnot, so it's not immediately clear to me > when this change actually happened. I think there are good > arguments for the current 1.1.0 behavior and it doesn't really make > sense to try to change back to the historical behavior, but it would > be good to know when the change actually happened and that it is/was > a known change. Ideally we could also document the different > behavior between 1.0.x and 1.1.0 better; any thoughts about where to > do so? https://www.openssl.org/docs/man1.1.0/apps/verify.html -verify_depth num Limit the certificate chain to num intermediate CA certificates. A maximal depth chain can have up to num+2 certificates, since neither the end-entity certificate nor the trust-anchor certificate count against the -verify_depth limit. https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify_depth.html SSL_CTX_set_verify_depth() sets the maximum depth for the certificate chain verification that shall be allowed for ctx. (See the BUGS section.) ... BUGS The certificate verification depth set with SSL[_CTX]_verify_depth() stops the verification at a certain depth. The error message produced will be that of an incomplete certificate chain and not X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected. The 1.0.2 behaviour was under-documented and somewhat broken. This was fixed in 1.1.0. Unfortunately, the SSL_CTX_set_verify_depth(3) was not brought up to date, contributes welcome: https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_verify_depth.html -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
