[openssl-users] [openssl-dev] verify depth behavior change from 1.0.2 to 1.1.0?

Viktor Dukhovni openssl-users at dukhovni.org
Tue Apr 4 15:39:47 UTC 2017

> On Apr 4, 2017, at 10:41 AM, Short, Todd via openssl-users <openssl-users at openssl.org> wrote:
> Ben Kaduk:
> Do we know the values that are being passed to SSL_CTX_set_verify_depth()
> match the -verify_depth argument, or do they differ?  If they differ, do
> identical arguments to the function behave the same in 1.1.0 and 1.0.2?

The "-verify_depth" argument to verify(1) just calls SSL_CTX_set_verify_depth(3)
with the given depth value.  In OpenSSL 1.1.0, this sets a limit on the
intermediate CA count and returns sensible errors when the depth limit is

> Viktor:
> What we’re getting at here, is that this appears to be a potentially
> significant behavioral change. We want to understand it better.

The code no longer returns misleading errors, and is better documented
in verify(3), but it seems I missed additional requisite documentation
updates in SSL_CTX_set_verify_depth(3).  It would be great if someone
volunteered to complete the documentation update.


More information about the openssl-users mailing list