Bodo Moeller wrote:
>
> On Wed, Jun 23, 1999 at 02:34:17PM +0100, Ben Laurie wrote:
> > Jordi Floriach i Ytxart wrote:
>
> >> I've just found the solution to my problem. This is that I need to set
> >> SSLVerifyDepth >1. Why? I don't know, but it works.
>
> > The depth is essentially the number of certs in the chain. So, for a
> > "normal" client cert, it is 2.
>
> Oops, why is that? The depth of the certification tree is one less
> than that, and that's also how OpenSSL's apps/s_cb.c (mis-)treats its
> -verify argument ("mis..." in that there's not actually an error if
> the depth is exceeded). This means that if the root CA directly signs
> user certificates, the depth really is 1 (and a X.509v3 pathLen-
> Constraint parameter for this in the CA certificate would be 0,
> because it looks only at CA certificates).
Its not like that for any fantastically good reason, its just the way it
is. Since it is trivial to explain, I preferred not to break backwards
compatibility when I realised. I agree it isn't the most obvious thing,
but there you are. I suppose I could introduce a new directive that did
it "right".
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi