From b9437c64ddd36c7c13508977e1a348d0e45d3187 Mon Sep 17 00:00:00 2001 From: james Date: Fri, 13 Nov 2009 11:09:47 +0000 Subject: Increase MAX_CERT_DEPTH to 16 (from 8), and when exceeded, make it a hard failure, rather than just a warning. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5159 e7ae566f-a301-0410-adde-c780ea21d3b5 --- ssl.c | 5 ++++- ssl.h | 2 +- version.m4 | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ssl.c b/ssl.c index d882c94..e6953db 100644 --- a/ssl.c +++ b/ssl.c @@ -766,7 +766,10 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) /* warn if cert chain is too deep */ if (ctx->error_depth >= max_depth) - msg (M_WARN, "TLS Warning: Convoluted certificate chain detected with depth [%d] greater than %d", ctx->error_depth, max_depth); + { + msg (D_TLS_ERRORS, "TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d", ctx->error_depth, max_depth); + goto err; /* Reject connection */ + } /* save common name in session object */ if (ctx->error_depth == 0) diff --git a/ssl.h b/ssl.h index 3bb5fbe..9737f26 100644 --- a/ssl.h +++ b/ssl.h @@ -307,7 +307,7 @@ */ /* Maximum certificate depth we will allow */ -#define MAX_CERT_DEPTH 8 +#define MAX_CERT_DEPTH 16 struct cert_hash { unsigned char sha1_hash[SHA_DIGEST_LENGTH]; diff --git a/version.m4 b/version.m4 index 9f61a81..6e4ab9f 100644 --- a/version.m4 +++ b/version.m4 @@ -1,5 +1,5 @@ dnl define the OpenVPN version -define(PRODUCT_VERSION,[2.1_rc21]) +define(PRODUCT_VERSION,[2.1_rc21a]) dnl define the TAP version define(PRODUCT_TAP_ID,[tap0901]) define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9]) -- cgit v1.2.3