[omniORB] certificate trust chain depth in sslContext

Arnault Bonafos arnault.bonafos@tumbleweed.com
Thu Dec 12 02:23:02 2002


I've found the obvious, derive sslContext to overide set_CA (or other
interesting function), or manipulate the global default context after it has
been created.
But why the verification depth limit was set to 1?

Arnault.

> -----Original Message-----
> From: Arnault Bonafos [mailto:arnault.bonafos@tumbleweed.com]
> Sent: Wednesday, December 11, 2002 1:52 PM
> To: omniorb-list@omniorb-support.com
> Subject: [omniORB] certificate trust chain depth in sslContext
> 
> 
> Hello,
> In the function "set_CA" of the sslContext omniORB class, I 
> can see that
> we're explicitely limiting the certificate trust chain depth to 1 (by
> calling SSL_CTX_set_verify_depth(pd_ctx,1)).
> 
> This particularly means that certificate issued by 
> intermediate CAs cannot
> be verified as then the trust chain length would be superior 
> to 1 (root CA +
> intermediate CAs). For note attempted connections in that 
> context report
> "unknown CA" and the connection cannot be established as 
> we're asking for
> client and server authentication.
> 
> I was wondering if there was any historical reason for this explicit
> limitation and what should be the best way to parametrize this SSL
> verification depth for a user application using omniORB?
> I'm currrently simply commenting out the line calling
> SSL_CTX_set_verify_depth to take advantage of the OpenSSL default (9).
> 
> Arnault.
> 
> _______________________________________________
> omniORB-list mailing list
> omniORB-list@omniorb-support.com
> http://www.omniorb-support.com/mailman/listinfo/omniorb-list
>