From 800b5dac006344896a3aa947ab13cd9f63e3fc4c Mon Sep 17 00:00:00 2001 From: Thiago Arrais Date: Wed, 5 Apr 2017 15:10:26 +0000 Subject: [PATCH] update docs because depth refers only to intermediate certs Reviewed-by: Viktor Dukhovni Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/3132) --- doc/man3/SSL_CTX_set_verify.pod | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/doc/man3/SSL_CTX_set_verify.pod b/doc/man3/SSL_CTX_set_verify.pod index c2077bbb46..799349892c 100644 --- a/doc/man3/SSL_CTX_set_verify.pod +++ b/doc/man3/SSL_CTX_set_verify.pod @@ -39,10 +39,10 @@ B can be called to get the data index of the current SSL object that is doing the verification. SSL_CTX_set_verify_depth() sets the maximum B for the certificate chain -verification that shall be allowed for B. (See the BUGS section.) +verification that shall be allowed for B. SSL_set_verify_depth() sets the maximum B for the certificate chain -verification that shall be allowed for B. (See the BUGS section.) +verification that shall be allowed for B. =head1 NOTES @@ -107,16 +107,19 @@ application provided procedure also has access to the verify depth information and the verify_callback() function, but the way this information is used may be different. -SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up -to which depth certificates in a chain are used during the verification -procedure. If the certificate chain is longer than allowed, the certificates -above the limit are ignored. Error messages are generated as if these -certificates would not be present, most likely a -X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will be issued. +SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set a limit on the +number of certificates between the end-entity and trust-anchor certificates. +Neither the +end-entity nor the trust-anchor certificates count against B. If the +certificate chain needed to reach a trusted issuer is longer than B, +X509_V_ERR_CERT_CHAIN_TOO_LONG will be issued. The depth count is "level 0:peer certificate", "level 1: CA certificate", "level 2: higher level CA certificate", and so on. Setting the maximum -depth to 2 allows the levels 0, 1, and 2. The default depth limit is 100, -allowing for the peer certificate and additional 100 CA certificates. +depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end-entity and 3 the +trust-anchor). +The default depth limit is 100, +allowing for the peer certificate, at most 100 intermediate CA certificates and +a final trust anchor certificate. The B function is used to control the behaviour when the SSL_VERIFY_PEER flag is set. It must be supplied by the application and -- 2.25.1