[omniORB] certificate trust chain depth in sslContext

Arnault Bonafos arnault.bonafos@tumbleweed.com
Wed Dec 11 21:54:00 2002


Hello,
In the function "set_CA" of the sslContext omniORB class, I can see that
we're explicitely limiting the certificate trust chain depth to 1 (by
calling SSL_CTX_set_verify_depth(pd_ctx,1)).

This particularly means that certificate issued by intermediate CAs cannot
be verified as then the trust chain length would be superior to 1 (root CA +
intermediate CAs). For note attempted connections in that context report
"unknown CA" and the connection cannot be established as we're asking for
client and server authentication.

I was wondering if there was any historical reason for this explicit
limitation and what should be the best way to parametrize this SSL
verification depth for a user application using omniORB?
I'm currrently simply commenting out the line calling
SSL_CTX_set_verify_depth to take advantage of the OpenSSL default (9).

Arnault.