wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update docs because depth refers only to intermediate certs

Browse source 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3132)
This commit is contained in:
Thiago Arrais 2017-04-05 15:10:26 +00:00 committed by Rich Salz
parent 786b6a45fb
commit 800b5dac00
1 changed files with 13 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
doc/man3/SSL_CTX_set_verify.pod
View file

@ -39,10 +39,10 @@ B<SSL_get_ex_data_X509_STORE_CTX_idx> can be called to get the data index
of the current SSL object that is doing the verification. of the current SSL object that is doing the verification.
SSL_CTX_set_verify_depth() sets the maximum B<depth> for the certificate chain SSL_CTX_set_verify_depth() sets the maximum B<depth> for the certificate chain
verification that shall be allowed for B<ctx>. (See the BUGS section.) verification that shall be allowed for B<ctx>.
SSL_set_verify_depth() sets the maximum B<depth> for the certificate chain SSL_set_verify_depth() sets the maximum B<depth> for the certificate chain
verification that shall be allowed for B<ssl>. (See the BUGS section.) verification that shall be allowed for B<ssl>.
=head1 NOTES =head1 NOTES
@ -107,16 +107,19 @@ application provided procedure also has access to the verify depth information
and the verify_callback() function, but the way this information is used and the verify_callback() function, but the way this information is used
may be different. may be different.
SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set a limit on the
to which depth certificates in a chain are used during the verification number of certificates between the end-entity and trust-anchor certificates.
procedure. If the certificate chain is longer than allowed, the certificates Neither the
above the limit are ignored. Error messages are generated as if these end-entity nor the trust-anchor certificates count against B<depth>. If the
certificates would not be present, most likely a certificate chain needed to reach a trusted issuer is longer than B<depth+2>,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will be issued. X509_V_ERR_CERT_CHAIN_TOO_LONG will be issued.
The depth count is "level 0:peer certificate", "level 1: CA certificate", The depth count is "level 0:peer certificate", "level 1: CA certificate",
"level 2: higher level CA certificate", and so on. Setting the maximum "level 2: higher level CA certificate", and so on. Setting the maximum
depth to 2 allows the levels 0, 1, and 2. The default depth limit is 100, depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end-entity and 3 the
allowing for the peer certificate and additional 100 CA certificates. trust-anchor).
The default depth limit is 100,
allowing for the peer certificate, at most 100 intermediate CA certificates and
a final trust anchor certificate.
The B<verify_callback> function is used to control the behaviour when the The B<verify_callback> function is used to control the behaviour when the
SSL_VERIFY_PEER flag is set. It must be supplied by the application and SSL_VERIFY_PEER flag is set. It must be supplied by the application and