Re: verify depth behavior change from 1.0.2 to 1.1.0?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Apr 3, 2017, at 4:26 PM, Benjamin Kaduk <bkaduk@xxxxxxxxxx> wrote:
> 
> There was a fair amount of churn in x509_vfy.c with the inclusion
> of the DANE stuff and whatnot, so it's not immediately clear to me
> when this change actually happened.  I think there are good
> arguments for the current 1.1.0 behavior and it doesn't really make
> sense to try to change back to the historical behavior, but it would
> be good to know when the change actually happened and that it is/was
> a known change.  Ideally we could also document the different
> behavior between 1.0.x and 1.1.0 better; any thoughts about where to
> do so?

https://www.openssl.org/docs/man1.1.0/apps/verify.html

   -verify_depth num

	Limit the certificate chain to num intermediate CA certificates.
	A maximal depth chain can have up to num+2 certificates, since
	neither the end-entity certificate nor the trust-anchor
	certificate count against the -verify_depth limit.

https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify_depth.html

	SSL_CTX_set_verify_depth() sets the maximum depth for the
	certificate chain verification that shall be allowed for ctx.
	(See the BUGS section.)
	...
	BUGS

	The certificate verification depth set with SSL[_CTX]_verify_depth()
	stops the verification at a certain depth. The error message
	produced will be that of an incomplete certificate chain and
	not X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected.

The 1.0.2 behaviour was under-documented and somewhat broken.  This
was fixed in 1.1.0.


Unfortunately, the SSL_CTX_set_verify_depth(3) was not brought up to date,
contributes welcome:

   https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_verify_depth.html

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux