I'm experimenting with 1.0.0-beta2 and it appears to me that
SSL_CTX_set_verify_depth
has no effect. This function is supposed to set the maximum depth of the
certificate chain that's sent by the peer.
It appears to work with 0.9.8g though.
I tried to do some debugging and found out that there's an inheritance
mechanism in place that creates a new X509_STORE every time a
certificate needs to be checked. I guess that this inheritance mechanism
is somehow broken because it does not inherits the correct depth value
to the newly created X509_STORE. A default value of 100 is always used.
Also, the -verify parameter of openssl s_client has little effect. But
that's a different issue because s_client does not rely on the
set_verify_depth mechanism but rather has its own callback function for
this kind of validation.
Can anybody confirm these observations?
-Daniel
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org