Increase MAX_CERT_DEPTH to 16 (from 8), and when exceeded,

make it a hard failure, rather than just a warning. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5159 e7ae566f-a301-0410-adde-c780ea21d3b5
author: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> 2009-11-13 11:09:47 +0000
committer: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> 2009-11-13 11:09:47 +0000
commit: b9437c64ddd36c7c13508977e1a348d0e45d3187 (patch)
tree: 5cfc1a5e572826bb66d9a6c96b4a15f848e7c398 /ssl.c
parent: Version 2.1_rc21 (diff)
download: openvpn-b9437c64ddd36c7c13508977e1a348d0e45d3187.tar.xz
1 files changed, 4 insertions, 1 deletions
diff --git a/ssl.c b/ssl.c
index d882c94..e6953db 100644
--- a/ssl.c
+++ b/ssl.c
@@ -766,7 +766,10 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
 
   /* warn if cert chain is too deep */
   if (ctx->error_depth >= max_depth)
-    msg (M_WARN, "TLS Warning: Convoluted certificate chain detected with depth [%d] greater than %d", ctx->error_depth, max_depth);
+    {
+      msg (D_TLS_ERRORS, "TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d", ctx->error_depth, max_depth);
+      goto err;			/* Reject connection */
+    }
 
   /* save common name in session object */
   if (ctx->error_depth == 0)
author	james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>	2009-11-13 11:09:47 +0000
committer	james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>	2009-11-13 11:09:47 +0000
commit	b9437c64ddd36c7c13508977e1a348d0e45d3187 (patch)
tree	5cfc1a5e572826bb66d9a6c96b4a15f848e7c398 /ssl.c
parent	Version 2.1_rc21 (diff)
download	openvpn-b9437c64ddd36c7c13508977e1a348d0e45d3187.tar.xz