[openssl-users] [openssl-dev] verify depth behavior change from 1.0.2 to 1.1.0?

Benjamin Kaduk bkaduk at akamai.com
Tue Apr 4 16:20:14 UTC 2017

On 04/04/2017 10:39 AM, Viktor Dukhovni wrote:
>> On Apr 4, 2017, at 10:41 AM, Short, Todd via openssl-users <openssl-users at openssl.org> wrote:
>> Ben Kaduk:
>> Do we know the values that are being passed to SSL_CTX_set_verify_depth()
>> match the -verify_depth argument, or do they differ?  If they differ, do
>> identical arguments to the function behave the same in 1.1.0 and 1.0.2?
> The "-verify_depth" argument to verify(1) just calls SSL_CTX_set_verify_depth(3)
> with the given depth value.  In OpenSSL 1.1.0, this sets a limit on the
> intermediate CA count and returns sensible errors when the depth limit is
> exceeded.

(Pedantic note: the apps call X509_VERIFY_PARAM_set_depth() directly,
and s_client goes on to use SSL_CTX_set1_param().)  But the answer to
the actual question asked is the same, the depth argument used for
verification is just the one passed on the command line.  Behavior
differences stem in the library.

>> Viktor:
>> What we’re getting at here, is that this appears to be a potentially
>> significant behavioral change. We want to understand it better.
> The code no longer returns misleading errors, and is better documented
> in verify(3), but it seems I missed additional requisite documentation
> updates in SSL_CTX_set_verify_depth(3).  It would be great if someone
> volunteered to complete the documentation update.

I have it on my list of things to look at if there is free time
available (which is hardly guaranteed).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170404/130ef96b/attachment.html>

More information about the openssl-users mailing list