Increase MAX_CERT_DEPTH to 16 (from 8), and when exceeded,

make it a hard failure, rather than just a warning.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5159 e7ae566f-a301-0410-adde-c780ea21d3b5

3 files changed, 6 insertions, 3 deletions

diff --git a/ssl.c b/ssl.c
index d882c94..e6953db 100644
--- a/ssl.c
+++ b/ssl.c
@@ -766,7 +766,10 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
 
   /* warn if cert chain is too deep */
   if (ctx->error_depth >= max_depth)
-    msg (M_WARN, "TLS Warning: Convoluted certificate chain detected with depth [%d] greater than %d", ctx->error_depth, max_depth);
+    {
+      msg (D_TLS_ERRORS, "TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d", ctx->error_depth, max_depth);
+      goto err;			/* Reject connection */
+    }
 
   /* save common name in session object */
   if (ctx->error_depth == 0)
diff --git a/ssl.h b/ssl.h
index 3bb5fbe..9737f26 100644
--- a/ssl.h
+++ b/ssl.h
@@ -307,7 +307,7 @@
  */
 
 /* Maximum certificate depth we will allow */
-#define MAX_CERT_DEPTH 8
+#define MAX_CERT_DEPTH 16
 
 struct cert_hash {
   unsigned char sha1_hash[SHA_DIGEST_LENGTH];
diff --git a/version.m4 b/version.m4
index 9f61a81..6e4ab9f 100644
--- a/version.m4
+++ b/version.m4
@@ -1,5 +1,5 @@
 dnl define the OpenVPN version
-define(PRODUCT_VERSION,[2.1_rc21])
+define(PRODUCT_VERSION,[2.1_rc21a])
 dnl define the TAP version
 define(PRODUCT_TAP_ID,[tap0901])
 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])