[erlang-questions] Strange behaviour of SSL verify depth option

Andrew Thompson <>
Wed Apr 11 00:36:23 CEST 2012


I'm working on some SSL related code, and I'm testing with certificates
signed with an intemediate CA. According to the documentation:

  Specifies the maximum verification depth, i.e. how far in a
  chain of certificates the verification process can proceed
  before  the  verification  is  considered  to
  fail.  Peer  certificate  = 0, CA certificate = 1,
  higher level CA certificate = 2, etc. The value 2
  thus means that a chain can at most contain peer
  cert, CA cert, next CA cert, and an additional CA
  cert. The default value is 1.

However, with depth set to 1 or 2, verification succeeds. As I
understand this documentation, a depth of 1 with a certificate signed by
an intermediate CA should fail, since there's actually 2 CAs involved in
the chain.

I also don't understand why setting the option to '2' allows a chain
consisting of 1 peer certificate and *3* CA certificates.

I've confirmed that SSL is following the chain by removing one of the
CA certificates from the list passed to SSL, verifications fails as
expected. Both certificates need to be present. Verification also fails
if the depth is set to 0.

Andrew



More information about the erlang-questions mailing list