[openssl.org #1778] default maximum chain length considered too low
[EMAIL PROTECTED] - Thu Nov 06 09:19:52 2008]: Why not increase the default, say, to 100 instead, as Globus did? What did they actually change? Changing the line: 9, /* depth */ in x509_vpm.c should do the trick. Can you confirm this works? __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1778] default maximum chain length considered too low
Hi Stephen, [EMAIL PROTECTED] - Thu Nov 06 09:19:52 2008]: Why not increase the default, say, to 100 instead, as Globus did? What did they actually change? Changing the line: 9, /* depth */ in x509_vpm.c should do the trick. Can you confirm this works? Globus calls SSL_CTX_set_verify_depth() with a value of 100: http://viewcvs.globus.org/viewcvs.cgi/gsi/callback/source/library/globus_gsi_callback_constants.h?r1=1.7r2=1.8 So, if that call exactly overrides the value 9 in x509_vpm.c, then setting it to 100 would be equivalent to the Globus fix. I hope the hardcoded depth does not appear in more places? Thanks, Maarten __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1778] default maximum chain length considered too low
Hi Stephen, [EMAIL PROTECTED] - Thu Nov 06 09:19:52 2008]: Why not increase the default, say, to 100 instead, as Globus did? What did they actually change? Changing the line: 9, /* depth */ in x509_vpm.c should do the trick. Can you confirm this works? Globus calls SSL_CTX_set_verify_depth() with a value of 100: http://viewcvs.globus.org/viewcvs.cgi/gsi/callback/source/library/globus_gsi_callback_constants.h?r1=1.7r2=1.8 So, if that call exactly overrides the value 9 in x509_vpm.c, then setting it to 100 would be equivalent to the Globus fix. I hope the hardcoded depth does not appear in more places? Thanks, Maarten __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1778] default maximum chain length considered too low
Dear OpenSSL developers, on August 14 I posted this matter to the developer list. There has been no response. Please include this issue in the bug tracker. Various grid projects have run into the default maximum chain length of 9 being too low. These bug reports show examples: http://bugzilla.globus.org/globus/show_bug.cgi?id=4994 https://savannah.cern.ch/bugs/index.php?37563 The functions SSL_CTX_set_verify_depth() and SSL_set_verify_depth() allow the maximum length to be increased, but this means that every application or library around OpenSSL needs to make such calls. Why not increase the default, say, to 100 instead, as Globus did? Thanks, Maarten (CERN/LCG/EGEE) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]