[openssl-users] verify depth behavior change from 1.0.2 to 1.1.0?
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Apr 3 20:43:15 UTC 2017
> On Apr 3, 2017, at 4:26 PM, Benjamin Kaduk <bkaduk at akamai.com> wrote:
>
> There was a fair amount of churn in x509_vfy.c with the inclusion
> of the DANE stuff and whatnot, so it's not immediately clear to me
> when this change actually happened. I think there are good
> arguments for the current 1.1.0 behavior and it doesn't really make
> sense to try to change back to the historical behavior, but it would
> be good to know when the change actually happened and that it is/was
> a known change. Ideally we could also document the different
> behavior between 1.0.x and 1.1.0 better; any thoughts about where to
> do so?
https://www.openssl.org/docs/man1.1.0/apps/verify.html
-verify_depth num
Limit the certificate chain to num intermediate CA certificates.
A maximal depth chain can have up to num+2 certificates, since
neither the end-entity certificate nor the trust-anchor
certificate count against the -verify_depth limit.
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify_depth.html
SSL_CTX_set_verify_depth() sets the maximum depth for the
certificate chain verification that shall be allowed for ctx.
(See the BUGS section.)
...
BUGS
The certificate verification depth set with SSL[_CTX]_verify_depth()
stops the verification at a certain depth. The error message
produced will be that of an incomplete certificate chain and
not X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected.
The 1.0.2 behaviour was under-documented and somewhat broken. This
was fixed in 1.1.0.
Unfortunately, the SSL_CTX_set_verify_depth(3) was not brought up to date,
contributes welcome:
https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_verify_depth.html
--
Viktor.
More information about the openssl-users
mailing list