CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/05/04 07:55:20
Modified files:
lib/libcrypto/x509: x509_verify.c
Log message:
verifier: re-enable the callback override for depth
kirill reported that his nginx reverse proxy setup stopped working
with x509_verify.c r1.74 and r1.75. It turns out that nginx relies
on a verify callback that always returns 1.
In revision 1.74 we removed the possibility of the verify_cb() to
override X509_V_ERR_CERT_CHAIN_TOO_LONG, which is what breaks the
config in kirill's setup since it used to use the nginx default of
setting the depth to 1. Re-enable this to make the new scenario
"2a with depth 1 and depth callback" pass.
As shown by the other new test scenario "14b with yolo calback"
with a "just say yes" cb, the guard added in r1.74 still prevents
the overwrite.
This makes kirill's reproducer work as verified by kirill and myself.
It was also tested by kirill in the real life setup.
discussed with beck
ok jsing kenjiro
