Hi, I've been investigating the way that verify depth works in OpenSSL, and I've managed to confuse myself over what it actually means. It seems to be used in two places, with different meanings and/or effects. 1. In the verify_callback example in s_cb.c. Here the verify depth is set as a global variable. If a verify error occurs, the callback is called, and the depth of the error is checked against the global variable. If the error is below the global variable, it is ignored. The effect of this is that we only check to the depth of the verify depth variable. So if I have a chain RootCA/SigningCA/PeerCert, and a verify depth of 1, Root CA is checked first, at depth 2. An error here will be ignored. The Signing CA is checked next, at depth 1, and the Peer Cert last at depth 0. Any errors here are returned to the caller. The effect then is to limit the checking to the depth set. 2. In the SSL_CTX_set_verify_depth() function. If we use this function, it seems that we actually change the start point of verify checking. Setting the verify depth to 1, with the same chain, starts the verify checking at the Signing CA, and this will fail with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. If this is ignored, a second error, X509_V_ERR_CERT_UNTRUSTED, is detected. >From this, I wonder what the point of the SSL_CTX_set_verify_depth() function is, apart from limiting the depth of the search, i.e. barring chains that are too long. In any case it does seem to be the same purpose as the verify depth functionality in (1). Can anybody clarify this confusion. My problem arises because I assumed that the real purpose of verify depth was that in (1), but as I have to handle multiple SSL configurations in parallel, that was not really compatible with the use global variables. I was expecting the SSL_CTX_set_verify_depth() function to give me that context (in both senses of the word) sensitive functionality. And it does not. Thanks, G. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
