Package: openssl Version: 0.9.8g-16 openssl s_client takes a depth parameter for the -verify option:
| -verify depth | The verify depth to use. This specifies the maximum length of the | server certificate chain and turns on server certificate | verification. Currently the verify operation continues after | errors so all the problems with a certificate chain can be seen. As | a side effect the connection will never fail due to a server | certificate verify failure. This parameter is correctly enforced when the server certificate chain is invalid, but it is not when the chain is valid. In other words, s_client doesn't verify the chain depth when all certificates are valid. It's because the depth check is implemented (in a verify callback) in a conditional on the certificate status, if all certificates are valid, the depth is never checked! I would expect the verification to fail if the chain is deeper than what I'm asking for, even if the chain itself is valid. (As a side note, the documentation is incorrect: when the chain is invalid *and* deeper than the required depth, s_client doesn't continue, it exits in the handshake.) -- Romain Francoise <rfranco...@debian.org> http://people.debian.org/~rfrancoise/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org