[erlang-questions] Strange behaviour of SSL verify depth option
Wed Apr 11 00:36:23 CEST 2012
I'm working on some SSL related code, and I'm testing with certificates
signed with an intemediate CA. According to the documentation:
Specifies the maximum verification depth, i.e. how far in a
chain of certificates the verification process can proceed
before the verification is considered to
fail. Peer certificate = 0, CA certificate = 1,
higher level CA certificate = 2, etc. The value 2
thus means that a chain can at most contain peer
cert, CA cert, next CA cert, and an additional CA
cert. The default value is 1.
However, with depth set to 1 or 2, verification succeeds. As I
understand this documentation, a depth of 1 with a certificate signed by
an intermediate CA should fail, since there's actually 2 CAs involved in
I also don't understand why setting the option to '2' allows a chain
consisting of 1 peer certificate and *3* CA certificates.
I've confirmed that SSL is following the chain by removing one of the
CA certificates from the list passed to SSL, verifications fails as
expected. Both certificates need to be present. Verification also fails
if the depth is set to 0.
More information about the erlang-questions