Hello, All.
In my attempts to learn more about the certificate verification process,
I have been looking at the apps/* code, the manpages, and the release
docs - not to mention the OpenSSL site. The closest thing I have found
to any documentation on the SSL_CTX_set_verify_depth() routine is the
following, taken from the CHANGES file in the 0.9.6 distribution:
*) Support verify_depth from the SSL API.
x509_vfy.c had what can be considered an off-by-one-error:
Its depth (which was not part of the external interface)
was actually counting the number of certificates in a chain;
now it really counts the depth.
[Bodo Moeller]
This doesn't really tell you what it is supposed to do. Of course that
isn't what a CHANGES file is for either. :)
As I understand it, the verify depth associated with an SSL connection
specifies the number of steps taken before verification can succeed.
Any failures along the way causes a verification failure. The callback
routine specified in the SSL_CTX_set_verify() call (or SSL_set_verify()
for a specific connection) is required to get specific information about
why the verification failed.
I wonder if there is any info regarding the specifics of the verify
depth, and is the call to SSL_CTX_set_verify_depth() even necessary? If
not, what is being sacrificed, if anything? What are the possible
values? etc. If there is documentation that spells these things out, I
have been unable to find it, so please feel free to just point me to it.
Searches on the list archives for SSL_CTX_set_verify_depth,
set_verify_depth, and verify_depth, have not produced any messages that
deal with this call specifically.
TIA
Lou
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
