On 04/04/2017 10:39 AM, Viktor Dukhovni wrote:On Apr 4, 2017, at 10:41 AM, Short, Todd via openssl-users <openssl-users@xxxxxxxxxxx> wrote: Ben Kaduk: Do we know the values that are being passed to SSL_CTX_set_verify_depth() match the -verify_depth argument, or do they differ? If they differ, do identical arguments to the function behave the same in 1.1.0 and 1.0.2?The "-verify_depth" argument to verify(1) just calls SSL_CTX_set_verify_depth(3) with the given depth value. In OpenSSL 1.1.0, this sets a limit on the intermediate CA count and returns sensible errors when the depth limit is exceeded. (Pedantic note: the apps call X509_VERIFY_PARAM_set_depth() directly, and s_client goes on to use SSL_CTX_set1_param().) But the answer to the actual question asked is the same, the depth argument used for verification is just the one passed on the command line. Behavior differences stem in the library. Viktor: What we’re getting at here, is that this appears to be a potentially significant behavioral change. We want to understand it better.The code no longer returns misleading errors, and is better documented in verify(3), but it seems I missed additional requisite documentation updates in SSL_CTX_set_verify_depth(3). It would be great if someone volunteered to complete the documentation update. I have it on my list of things to look at if there is free time available (which is hardly guaranteed). -Ben |
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
