On Thu, Feb 25, 1999, Christian Buysschaert wrote:
> Top root, Primary root, Operational root, Client cert
> (Top signs primary, primary sign operational, etc.)
>[...]
> SSLVerifyClient require
> SSLVerifyDept 2
> SSLCACertificateFile refers to a file containing only 'Primary root'
>[...]
> [error] Certificate Verification: Error (19): self signed certificate in
> certificate chain
> [error] Certificate Verification: Certificate Chain too long (chain has 3
> certificates, but maximum allowed are only 2)
>[...]
> Mmm... so SSLVerifyDepth seems to indicate chain length until the selfsigned
> certificate and not until a certificate in SSLCACertificateFile?
The self-signed one is usually the "Top root", isn't it? This "self-signed
stuff" comes from SSLeay and is SSLeay's terminology.
> Anybody can confirm this? Or did I (again ;-) ) overlooked something?
>From the mod_ssl User Manual under SSLVerifyDepth:
| The depth actually is the maximum number of intermediate certificate issuers,
| i.e. the number of CA certificates which are max allowed to be followed while
| verifying the client certificate. A depth of 0 means that self-signed client
| certificates are accepted only, the default depth of 1 means the client
| certificate can be self-signed or has to be signed by a CA which is directly
| known to the server (i.e. the CA's certificate is under
| SSLCACertificatePath), etc.
In your case there are 3 issuers (= CA certs) in the chain, so as the error
message indicates you need at least "SSLVerifyDepth 3", of course. The only
incorrect thing seems to be that the error reads "chain has 3 certificates"
while it actually should be "chain has 3 CA certificates". I'll change this
for mod_ssl 2.2.4.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
