From: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>
Date: Fri, 13 Nov 2009 11:09:47 +0000 (+0000)
Subject: Increase MAX_CERT_DEPTH to 16 (from 8), and when exceeded,
X-Git-Tag: v2.1_rc22~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b9437c64ddd36c7c13508977e1a348d0e45d3187;p=thirdparty%2Fopenvpn.git

Increase MAX_CERT_DEPTH to 16 (from 8), and when exceeded,
make it a hard failure, rather than just a warning.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5159 e7ae566f-a301-0410-adde-c780ea21d3b5
---

diff --git a/ssl.c b/ssl.c
index d882c94f5..e6953db42 100644
--- a/ssl.c
+++ b/ssl.c
@@ -766,7 +766,10 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
 
   /* warn if cert chain is too deep */
   if (ctx->error_depth >= max_depth)
-    msg (M_WARN, "TLS Warning: Convoluted certificate chain detected with depth [%d] greater than %d", ctx->error_depth, max_depth);
+    {
+      msg (D_TLS_ERRORS, "TLS Error: Convoluted certificate chain detected with depth [%d] greater than %d", ctx->error_depth, max_depth);
+      goto err;			/* Reject connection */
+    }
 
   /* save common name in session object */
   if (ctx->error_depth == 0)
diff --git a/ssl.h b/ssl.h
index 3bb5fbe77..9737f265a 100644
--- a/ssl.h
+++ b/ssl.h
@@ -307,7 +307,7 @@
  */
 
 /* Maximum certificate depth we will allow */
-#define MAX_CERT_DEPTH 8
+#define MAX_CERT_DEPTH 16
 
 struct cert_hash {
   unsigned char sha1_hash[SHA_DIGEST_LENGTH];
diff --git a/version.m4 b/version.m4
index 9f61a81a2..6e4ab9f98 100644
--- a/version.m4
+++ b/version.m4
@@ -1,5 +1,5 @@
 dnl define the OpenVPN version
-define(PRODUCT_VERSION,[2.1_rc21])
+define(PRODUCT_VERSION,[2.1_rc21a])
 dnl define the TAP version
 define(PRODUCT_TAP_ID,[tap0901])
 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])