[openssl-users] [openssl-dev] verify depth behavior change from 1.0.2 to 1.1.0?
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Apr 4 15:39:47 UTC 2017
> On Apr 4, 2017, at 10:41 AM, Short, Todd via openssl-users <openssl-users at openssl.org> wrote:
>
> Ben Kaduk:
>
> Do we know the values that are being passed to SSL_CTX_set_verify_depth()
> match the -verify_depth argument, or do they differ? If they differ, do
> identical arguments to the function behave the same in 1.1.0 and 1.0.2?
The "-verify_depth" argument to verify(1) just calls SSL_CTX_set_verify_depth(3)
with the given depth value. In OpenSSL 1.1.0, this sets a limit on the
intermediate CA count and returns sensible errors when the depth limit is
exceeded.
> Viktor:
>
> What we’re getting at here, is that this appears to be a potentially
> significant behavioral change. We want to understand it better.
The code no longer returns misleading errors, and is better documented
in verify(3), but it seems I missed additional requisite documentation
updates in SSL_CTX_set_verify_depth(3). It would be great if someone
volunteered to complete the documentation update.
--
Viktor.
More information about the openssl-users
mailing list