[erlang-questions] Strange behaviour of SSL verify depth option

Ingela Andin <>
Wed Apr 11 13:12:51 CEST 2012


HI!

2012/4/11 Andrew Thompson <>:
> I'm working on some SSL related code, and I'm testing with certificates
> signed with an intemediate CA. According to the documentation:
>
>  Specifies the maximum verification depth, i.e. how far in a
>  chain of certificates the verification process can proceed
>  before  the  verification  is  considered  to
>  fail.  Peer  certificate  = 0, CA certificate = 1,
>  higher level CA certificate = 2, etc. The value 2
>  thus means that a chain can at most contain peer
>  cert, CA cert, next CA cert, and an additional CA
>  cert. The default value is 1.
>
> However, with depth set to 1 or 2, verification succeeds. As I
> understand this documentation, a depth of 1 with a certificate signed by
> an intermediate CA should fail, since there's actually 2 CAs involved in
> the chain.
>
> I also don't understand why setting the option to '2' allows a chain
> consisting of 1 peer certificate and *3* CA certificates.

Humm... maybe this could be expressed clearer (that phrasing has been
around for a while)

The depth is  the maximum number of non-self-issued intermediate
certificates that may follow the
peer certificate in a valid certification path.  So if depth is 0 the
PEER must be signed by the trusted  ROOT-CA directly, if 1 the path
can be PEER, CA, ROOT-CA, if it is 2 PEER, CA, CA, ROOT-CA and so on.

Regards Ingela Erlang/OTP team - Ericsson AB



More information about the erlang-questions mailing list