Re: verify_callback question - probably an easy one.

Thu, 19 Oct 2000 13:30:12 -0700 

Ok, I think I get it now.  The depth strictly relates to how many
'signings' you are removed from a root cert.  I don't want to accept
anything signed by someone who is also signed by a root cert, so I set
my depth at 1.  If I get to a root cert within that length of a cert
chain, then I can check the root CA to see if i am going to trust it.

So I set the preverify_ok to 1 if the chain isn't too long (verify_depth
>= depth), but if there are any other errors in the verification, set it back to 0 
>before returning it (in the switch statement).

Thank you again Lutz.  You have been quite helpful to me over the last
several weeks.  If you are ever in the Boston Area, I owe you a beer (we
have some decent American beers around here :)

Lou

Lutz Jaenicke wrote:
> 
> On Thu, Oct 19, 2000 at 03:58:26PM -0400, Louis LeBlanc wrote:
> > I think the problem is here, in the check of verify_depth and depth:
> 
> You misunderstand the verify_depth
> 
> > This is the format that has been suggested to me, and what is used in
> > s_client.  I am setting verify_depth to 1, and it gets verified to depth
> > 0 when I don't have the CA cert available.  It seems to me the
> > verification process _begins_ with the peer cert, _then_ goes to the CA
> > cert.  If it cannot find the CA Cert, the 'verified' depth returns as
> > 0.  The verify_depth, of course, is 1.  So shouldn't that comparison
> > read like this:
> 
> The certificate is checked at all depth levels it contains. The culprit
> is to check out the "ok" value handed to the verify_callback.
> Since last week there is a manual page available:
>  http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
> 
> Best regards,
>         Lutz
> --
> Lutz Jaenicke                             [EMAIL PROTECTED]
> BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
> Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
> Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to