aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2009-11-13 11:09:47 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2009-11-13 11:09:47 +0000
commitb9437c64ddd36c7c13508977e1a348d0e45d3187 (patch)
tree5cfc1a5e572826bb66d9a6c96b4a15f848e7c398
parentVersion 2.1_rc21 (diff)
downloadopenvpn-b9437c64ddd36c7c13508977e1a348d0e45d3187.tar.xz
Increase MAX_CERT_DEPTH to 16 (from 8), and when exceeded,
make it a hard failure, rather than just a warning. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5159 e7ae566f-a301-0410-adde-c780ea21d3b5
-rw-r--r--ssl.c5
-rw-r--r--ssl.h2
-rw-r--r--version.m42
3 files changed, 6 insertions, 3 deletions
diff --git a/ssl.c b/ssl.c
index d882c94..e6953db 100644
--- a/ssl.c
+++ b/ssl.c
@@ -766,7 +766,10 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
/* warn if cert chain is too deep */
if (ctx->error_depth >= max_depth)
- msg (M_WARN, "TLS Warning: Convoluted certificate chain detected with depth [%d] greater than %d", ctx->error_depth, max_depth);
+ {
+ msg (D_TLS_ERRORS, "TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d", ctx->error_depth, max_depth);
+ goto err; /* Reject connection */
+ }
/* save common name in session object */
if (ctx->error_depth == 0)
diff --git a/ssl.h b/ssl.h
index 3bb5fbe..9737f26 100644
--- a/ssl.h
+++ b/ssl.h
@@ -307,7 +307,7 @@
*/
/* Maximum certificate depth we will allow */
-#define MAX_CERT_DEPTH 8
+#define MAX_CERT_DEPTH 16
struct cert_hash {
unsigned char sha1_hash[SHA_DIGEST_LENGTH];
diff --git a/version.m4 b/version.m4
index 9f61a81..6e4ab9f 100644
--- a/version.m4
+++ b/version.m4
@@ -1,5 +1,5 @@
dnl define the OpenVPN version
-define(PRODUCT_VERSION,[2.1_rc21])
+define(PRODUCT_VERSION,[2.1_rc21a])
dnl define the TAP version
define(PRODUCT_TAP_ID,[tap0901])
define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])