> On Apr 4, 2017, at 10:41 AM, Short, Todd via openssl-users <openssl-users@xxxxxxxxxxx> wrote: > > Ben Kaduk: > > Do we know the values that are being passed to SSL_CTX_set_verify_depth() > match the -verify_depth argument, or do they differ? If they differ, do > identical arguments to the function behave the same in 1.1.0 and 1.0.2? The "-verify_depth" argument to verify(1) just calls SSL_CTX_set_verify_depth(3) with the given depth value. In OpenSSL 1.1.0, this sets a limit on the intermediate CA count and returns sensible errors when the depth limit is exceeded. > Viktor: > > What we’re getting at here, is that this appears to be a potentially > significant behavioral change. We want to understand it better. The code no longer returns misleading errors, and is better documented in verify(3), but it seems I missed additional requisite documentation updates in SSL_CTX_set_verify_depth(3). It would be great if someone volunteered to complete the documentation update. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
