Increase MAX_CERT_DEPTH to 16 (from 8), and when exceeded,

make it a hard failure, rather than just a warning.

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5159 e7ae566f-a301-0410-adde-c780ea21d3b5

diff --git a/ssl.c b/ssl.c
index d882c94f5ee4850b34bba5b04657a4c0ab2459c9..e6953db42a9b9af74004187c743452d06510bc2f 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -766,7 +766,10 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
 
   /* warn if cert chain is too deep */
   if (ctx->error_depth >= max_depth)
-    msg (M_WARN, "TLS Warning: Convoluted certificate chain detected with depth [%d] greater than %d", ctx->error_depth, max_depth);
+    {
+      msg (D_TLS_ERRORS, "TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d", ctx->error_depth, max_depth);
+      goto err;                        /* Reject connection */
+    }
 
   /* save common name in session object */
   if (ctx->error_depth == 0)

diff --git a/ssl.h b/ssl.h
index 3bb5fbe777ae574ce90598b26bb70dac6414c7e4..9737f265a3facb93cc82d0f8c8338600887b91b2 100644 (file)
--- a/ssl.h
+++ b/ssl.h
@@ -307,7 +307,7 @@
  */
 
 /* Maximum certificate depth we will allow */
-#define MAX_CERT_DEPTH 8
+#define MAX_CERT_DEPTH 16
 
 struct cert_hash {
   unsigned char sha1_hash[SHA_DIGEST_LENGTH];

diff --git a/version.m4 b/version.m4
index 9f61a81a29db42b1c4d14df723634e7d62d71450..6e4ab9f98743ed59a4981120d4c1b448e7c740bd 100644 (file)
--- a/version.m4
+++ b/version.m4
@@ -1,5 +1,5 @@
 dnl define the OpenVPN version
-define(PRODUCT_VERSION,[2.1_rc21])
+define(PRODUCT_VERSION,[2.1_rc21a])
 dnl define the TAP version
 define(PRODUCT_TAP_ID,[tap0901])
 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])