Hello, It looks like haproxy (latest git) doesn't limit client ssl certificate verify depth.
Using SSL_CTX_set_verify_depth(ctx, maxdepth); in (ssl_sock.c):ssl_sock_prepare_ctx seems to work: haproxy doesn't verify really long client cert chains. (For backend server ssl connections verify depth limit would probably go to ssl_sock_prepare_srv_ctx) Would it make sense to have tune.ssl.max-verify-depth configuration option to limit the certificate chain verification depth ? If something like this seams reasonable I think I can make a patch to implement the tune.ssl.max... configuration option. -Jarno PS. Tested with this client cert chain: CN=CAtest00 CN=CAtest01 CN=CAtest02 CN=CAtest03 CN=CAtest04 CN=CAtest05 CN=CAtest06 CN=CAtest07 CN=CAtest08 CN=CAtest09 CN=CAtest10 CN=CAtest11 CN=CAtest12 CN=CAtest13 CN=CAtest14 CN=CAtest15 CN=CAtest16 CN=CAtest17 CN=CAtest18 CN=CAtest19 CN=client19.local (not really a real world example ... :) -- Jarno Huuskonen
