3

I am wondering what does ssl_verify_depth mean in nginx.conf? The docs are not very detailed, there is just this sentece:

Sets the verification depth in the client certificates chain.

What does increasing or decreasing do? I've noticed that increasing it makes nginx more likely to accept the cert, but why is that?

sashoalm
  • 75,001
  • 122
  • 434
  • 781

2 Answers2

7

The depth actually is the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are max allowed to be followed while verifying the client certificate.

A depth of 0 means that self-signed client certificates are accepted only, the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under SSLCACertificatePath), etc. A depth of 2 means that certificates signed by a (single level of) intermediate CA are accepted i.e. by an intermediate CA, whose CA certificate is signed by a CA directly known to the server.

Our perl test about this directive has some very useful comments and will help you to understand my explanation in a NGINX Context a little bit better.

https://github.com/nginx/nginx-tests/blob/7a9e95fdd30729540ee9650be7f991c330367d5b/ssl_verify_depth.t#L145

Timo Stark
  • 2,721
  • 1
  • 10
  • 23
  • 1
    So as an analogy, if certs were people, ssl_verify_depth=0 means you trust only people you know personally, and 1 means you trust a friend of a friend, and 2 means a friend of a friend of a friend, and so on, right? – sashoalm Feb 18 '22 at 06:25
  • Btw when I set ssl_verify_depth=0 nginx would accept a certificate that was signed by a certificate authority. So in [this picture](https://www.https.in/blog/wp-content/uploads/2019/03/SSL_Certificate_Chain.png) the cert would need only depth 1 to be accepted (depth <= chainLength - rootCA - leaf). – sashoalm Feb 18 '22 at 06:26
  • Yes this is correct. Setting it to 0 will allow ONLY self-signed certificates ` with verify depth 0, only self-signed certificates should` (From the NGINX tests). And your analogy is correct. If this answers your question, would appreciate if your mark it as an answer. Lmk if you need any more information. – Timo Stark Feb 18 '22 at 08:02
1

From the docs:

SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set a limit on the number of certificates between the end-entity and trust-anchor certificates. Neither the end-entity nor the trust-anchor certificates count against depth. If the certificate chain needed to reach a trusted issuer is longer than depth+2, X509_V_ERR_CERT_CHAIN_TOO_LONG will be issued. The depth count is "level 0:peer certificate", "level 1: CA certificate", "level 2: higher level CA certificate", and so on. Setting the maximum depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end-entity and 3 the trust-anchor). The default depth limit is 100, allowing for the peer certificate, at most 100 intermediate CA certificates and a final trust anchor certificate.

Source:

Note: the behavior around this changed between openssl 1.0.2 to 1.1.0

Source:

Hugh Pearse
  • 699
  • 1
  • 7
  • 18