Re: [openssl-dev] verify depth behavior change from 1.0.2 to 1.1.0?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/04/2017 10:39 AM, Viktor Dukhovni wrote:

      
On Apr 4, 2017, at 10:41 AM, Short, Todd via openssl-users <openssl-users@xxxxxxxxxxx> wrote:

Ben Kaduk:

Do we know the values that are being passed to SSL_CTX_set_verify_depth()
match the -verify_depth argument, or do they differ?  If they differ, do
identical arguments to the function behave the same in 1.1.0 and 1.0.2?
The "-verify_depth" argument to verify(1) just calls SSL_CTX_set_verify_depth(3)
with the given depth value.  In OpenSSL 1.1.0, this sets a limit on the
intermediate CA count and returns sensible errors when the depth limit is
exceeded.

(Pedantic note: the apps call X509_VERIFY_PARAM_set_depth() directly, and s_client goes on to use SSL_CTX_set1_param().)  But the answer to the actual question asked is the same, the depth argument used for verification is just the one passed on the command line.  Behavior differences stem in the library.


      
Viktor:

What we’re getting at here, is that this appears to be a potentially
significant behavioral change. We want to understand it better.
The code no longer returns misleading errors, and is better documented
in verify(3), but it seems I missed additional requisite documentation
updates in SSL_CTX_set_verify_depth(3).  It would be great if someone
volunteered to complete the documentation update.


I have it on my list of things to look at if there is free time available (which is hardly guaranteed).

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux