[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Auto plugged off?



> There's a disagreement between the comments in ssl.el and the s_client
> manpage about the meaning of the -verify option.  The documented
> behaviour of -verify N is to limit the depth of the certificate chain
> to N entries and, at least on NetBSD, that seems to be the actual
> behaviour.  So with the default -verify 0 the fastmail cert (which has
> two extra links in its trust chain) gives a verification failure, but
> -verify 2 (or more) works.  The server I was logging into successfully
> was using a self-signed cert so that a depth of 0 was sufficient.

but what is the security semantics behind limiting validation chain
length at all?  either you can get to the trust anchor from the
presented cert or you can't.  what is the threat model that would cause
me to want to limit the validation chain length?

> As Tatsuya Kinoshita pointed out, the verification doesn't amount to
> much: the connections work fine (as long as the certificate chain is
> shorter than -verify N!) even though I now realize that I have no root
> CA certs installed on this machine and therefore can't possibly be
> validating the certificate the server sends me.

so we care how long the chain is but we don't care if it validates?  did
i spill something strange into my coffee?

please tell me this all isn't true.

randy