Ben Kaduk: Do we know the values that are being passed to SSL_CTX_set_Verify_depth() match the -verify_depth argument, or do they differ? If they differ, do identical arguments to the function behave the same in 1.1.0 and 1.0.2?
Viktor: What we’re getting at here, is that this appears to be a potentially significant behavioral change. We want to understand it better. -- -Todd Short // tsh...@akamai.com<mailto:tsh...@akamai.com> // "One if by land, two if by sea, three if by the Internet." On Apr 3, 2017, at 4:43 PM, Viktor Dukhovni <openssl-us...@dukhovni.org<mailto:openssl-us...@dukhovni.org>> wrote: On Apr 3, 2017, at 4:26 PM, Benjamin Kaduk <bka...@akamai.com<mailto:bka...@akamai.com>> wrote: There was a fair amount of churn in x509_vfy.c with the inclusion of the DANE stuff and whatnot, so it's not immediately clear to me when this change actually happened. I think there are good arguments for the current 1.1.0 behavior and it doesn't really make sense to try to change back to the historical behavior, but it would be good to know when the change actually happened and that it is/was a known change. Ideally we could also document the different behavior between 1.0.x and 1.1.0 better; any thoughts about where to do so? https://www.openssl.org/docs/man1.1.0/apps/verify.html -verify_depth num Limit the certificate chain to num intermediate CA certificates. A maximal depth chain can have up to num+2 certificates, since neither the end-entity certificate nor the trust-anchor certificate count against the -verify_depth limit. https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify_depth.html SSL_CTX_set_verify_depth() sets the maximum depth for the certificate chain verification that shall be allowed for ctx. (See the BUGS section.) ... BUGS The certificate verification depth set with SSL[_CTX]_verify_depth() stops the verification at a certain depth. The error message produced will be that of an incomplete certificate chain and not X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected. The 1.0.2 behaviour was under-documented and somewhat broken. This was fixed in 1.1.0. Unfortunately, the SSL_CTX_set_verify_depth(3) was not brought up to date, contributes welcome: https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_verify_depth.html -- Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users