default maximum chain length considered too low - Openssl

This is a discussion on default maximum chain length considered too low - Openssl ; Dear OpenSSL developers, various grid projects have run into the default maximum chain length of 10 being too low. These bug reports show examples: http://bugzilla.globus.org/globus/show_bug.cgi?id=4994 https://savannah.cern.ch/bugs/index.php?37563 The functions SSL_CTX_set_verify_depth() and SSL_set_verify_depth() allow the maximum length to be increased, but this ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: default maximum chain length considered too low

  1. default maximum chain length considered too low

    Dear OpenSSL developers,
    various grid projects have run into the default maximum chain length
    of 10 being too low. These bug reports show examples:

    http://bugzilla.globus.org/globus/show_bug.cgi?id=4994

    https://savannah.cern.ch/bugs/index.php?37563

    The functions SSL_CTX_set_verify_depth() and SSL_set_verify_depth()
    allow the maximum length to be increased, but this means that every
    application or library around OpenSSL needs to make such calls.
    Why not increase the default, say, to 100 instead, as Globus did?
    Thanks,
    Maarten (CERN/LCG/EGEE)

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org


  2. [openssl.org #1778] default maximum chain length considered too low

    Dear OpenSSL developers,
    on August 14 I posted this matter to the developer list. There has
    been no response. Please include this issue in the bug tracker.

    Various grid projects have run into the default maximum chain length
    of 9 being too low. These bug reports show examples:

    http://bugzilla.globus.org/globus/show_bug.cgi?id=4994

    https://savannah.cern.ch/bugs/index.php?37563

    The functions SSL_CTX_set_verify_depth() and SSL_set_verify_depth()
    allow the maximum length to be increased, but this means that every
    application or library around OpenSSL needs to make such calls.
    Why not increase the default, say, to 100 instead, as Globus did?
    Thanks,
    Maarten (CERN/LCG/EGEE)

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org


  3. [openssl.org #1778] default maximum chain length considered too low

    > [Maarten.Litmaath@cern.ch - Thu Nov 06 09:19:52 2008]:
    >
    > Why not increase the default, say, to 100 instead, as Globus did?
    >
    >


    What did they actually change?

    Changing the line:

    9, /* depth */

    in x509_vpm.c should do the trick. Can you confirm this works?
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org


  4. Re: [openssl.org #1778] default maximum chain length considered too low

    Hi Stephen,

    > > [Maarten.Litmaath@cern.ch - Thu Nov 06 09:19:52 2008]:
    > >
    > > Why not increase the default, say, to 100 instead, as Globus did?
    > >
    > >

    >
    > What did they actually change?
    >
    > Changing the line:
    >
    > 9, /* depth */
    >
    > in x509_vpm.c should do the trick. Can you confirm this works?


    Globus calls SSL_CTX_set_verify_depth() with a value of 100:

    http://viewcvs.globus.org/viewcvs.cg...?r1=1.7&r2=1.8

    So, if that call exactly overrides the value 9 in x509_vpm.c,
    then setting it to 100 would be equivalent to the Globus fix.

    I hope the hardcoded depth does not appear in more places?
    Thanks,
    Maarten


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org


  5. Re: [openssl.org #1778] default maximum chain length considered toolow

    Hi Stephen,

    > > [Maarten.Litmaath@cern.ch - Thu Nov 06 09:19:52 2008]:
    > >
    > > Why not increase the default, say, to 100 instead, as Globus did?
    > >
    > >

    >
    > What did they actually change?
    >
    > Changing the line:
    >
    > 9, /* depth */
    >
    > in x509_vpm.c should do the trick. Can you confirm this works?


    Globus calls SSL_CTX_set_verify_depth() with a value of 100:

    http://viewcvs.globus.org/viewcvs.cg...?r1=1.7&r2=1.8

    So, if that call exactly overrides the value 9 in x509_vpm.c,
    then setting it to 100 would be equivalent to the Globus fix.

    I hope the hardcoded depth does not appear in more places?
    Thanks,
    Maarten

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    Development Mailing List openssl-dev@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread