[Pkg-openssl-devel] Bug#524082: openssl: s_client ignores depth if certificate chain is valid
Romain Francoise
rfrancoise at debian.org
Tue Apr 14 17:57:35 UTC 2009
Package: openssl
Version: 0.9.8g-16
openssl s_client takes a depth parameter for the -verify option:
| -verify depth
| The verify depth to use. This specifies the maximum length of the
| server certificate chain and turns on server certificate
| verification. Currently the verify operation continues after
| errors so all the problems with a certificate chain can be seen. As
| a side effect the connection will never fail due to a server
| certificate verify failure.
This parameter is correctly enforced when the server certificate
chain is invalid, but it is not when the chain is valid. In other
words, s_client doesn't verify the chain depth when all certificates
are valid.
It's because the depth check is implemented (in a verify callback)
in a conditional on the certificate status, if all certificates are
valid, the depth is never checked! I would expect the verification
to fail if the chain is deeper than what I'm asking for, even if the
chain itself is valid.
(As a side note, the documentation is incorrect: when the chain is
invalid *and* deeper than the required depth, s_client doesn't
continue, it exits in the handshake.)
--
Romain Francoise <rfrancoise at debian.org>
http://people.debian.org/~rfrancoise/
More information about the Pkg-openssl-devel
mailing list