I think verify depth of 1 will work only for self signed certificates, in this case it wont work, you should override the default certificate checking functions by registering ur own callback for this function pointer in ssl_st.
int (*verify_callback)(int ok,X509_STORE_CTX *ctx) as you already know CA2 issuername and common name, you can reject that certificate if presented. Hope this helps. Thanks --Gayathri -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Olaf Gellert Sent: Tuesday, March 07, 2006 8:34 PM To: openssl-users@openssl.org Subject: Re: Choice of CAs in SSL/TLS handshake Samy Thiyagarajan wrote: > > Hi, > May be changing the verification of the depth level solve this issue. ( > I mean check the chain only upto User CA 1 and not upto the Root CA ) > In this case it should not report about missing valid root. > > Im not sure. this is just an idea. Good idea. But unfortunately it does not work out. I removed the root-certificate from the SSLCACertificateFile. The Server now only allows the user CA 1 (otherwise it still offers the root CA as valid CA). And I shortened the verifyDepth to one. But the server denies access saying: [Tue Mar 07 15:56:34 2006] [error] Certificate Verification: Error (20): unable to get local issuer certificate Seems that "verifyDepth" still requires a self-signed root certificate (so the chain has to reach the toplevel in the given number of steps). Hm... Any other proposals? :-) Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]