[erlang-questions] Strange behaviour of SSL verify depth option
Wed Apr 11 13:12:51 CEST 2012
2012/4/11 Andrew Thompson <>:
> I'm working on some SSL related code, and I'm testing with certificates
> signed with an intemediate CA. According to the documentation:
> Specifies the maximum verification depth, i.e. how far in a
> chain of certificates the verification process can proceed
> before the verification is considered to
> fail. Peer certificate = 0, CA certificate = 1,
> higher level CA certificate = 2, etc. The value 2
> thus means that a chain can at most contain peer
> cert, CA cert, next CA cert, and an additional CA
> cert. The default value is 1.
> However, with depth set to 1 or 2, verification succeeds. As I
> understand this documentation, a depth of 1 with a certificate signed by
> an intermediate CA should fail, since there's actually 2 CAs involved in
> the chain.
> I also don't understand why setting the option to '2' allows a chain
> consisting of 1 peer certificate and *3* CA certificates.
Humm... maybe this could be expressed clearer (that phrasing has been
around for a while)
The depth is the maximum number of non-self-issued intermediate
certificates that may follow the
peer certificate in a valid certification path. So if depth is 0 the
PEER must be signed by the trusted ROOT-CA directly, if 1 the path
can be PEER, CA, ROOT-CA, if it is 2 PEER, CA, CA, ROOT-CA and so on.
Regards Ingela Erlang/OTP team - Ericsson AB
More information about the erlang-questions