Red Hat Bugzilla – Bug 1266093
[RFE] Deprecate ssl_verify_depth config and use openssl defaults.
Last modified: 2016-06-22 13:55:14 EDT
Description of problem:
We have a config option to set the X.509 server cert chain verify
depth to 3.
It was made configurable to address https://bugzilla.redhat.com/show_bug.cgi?id=649374
because it was explicitly set to '1' before that.
Why 3? (aside from 'thats what the current subscription.rhn.redhat.com cert needs to
get to redhat-uep.pem').
The openssl default seems to be 100 (https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_verify.html)
My vote would be to let it fall to the openssl default by not explicitly setting it.
AFAICT, there is no utility to limiting the verify depth.
Version-Release number of selected component (if applicable):
Pretty much all GA versions. But at least as new as:
deferring to rhel-7.3.0 due to schedule and severity