How to set XCOM configssl.cnf parameter VERIFY_DEPTH
search cancel

How to set XCOM configssl.cnf parameter VERIFY_DEPTH

book

Article ID: 368887

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - Linux PC XCOM Data Transport - Windows

Issue/Introduction

Have a cassl.pem file which at the moment has 6 certificates in it, and have a new CA-Intermediate CA pair to add to it for new SHA2 certificates.

If these new certificates are appended to the cassl.pem file as certificates 7 and 8 in the file, will the certificate verification on the handshake chain down to these if the relevant required certificate match is not found above them. That is, will the certificate verification go past the fourth certificate in the file, with the default setting of VERIFY_DEPTH=4 ?

Environment

XCOM distributed OS platforms

Resolution

There is currently a lack of documentation/file comments for some of the configssl.cnf parameters like VERIFY_DEPTH,
There are some old "R11 0603 SP01: DOCUMENTATION UPDATES" information solutions for the 11.0 release on various platforms which describe its use e.g. QI80475 for UNIX and QI84430 for Linux:

*****
...

# Mandatory.
# Used to set the maximum depth for the certificate chain
# verification that shall be allowed for ctx.
# Set the limit up to which depth certificates in a chain are
# used during the verification procedure. If the certificate chain
# is longer than allowed, # the certificates above the limit
# are ignored.
#
VERIFY_DEPTH
INITIATE_SIDE = 4
RECEIVE_SIDE = 4
...
*****

In addition:

  • The VERIFY_DEPTH parameter validates the certificates or certificate chain in the XCOM client and server certificates (default file names clientcert.pem, servercert.pem). For validation purposes, the entire chain has to be present which is often in concatenated form. For the XCOM sample scripts, the public root certificate cassl.pem is provided as a separate file.

  • The VERIFY_DEPTH value refers to the depth of the hierarchy of each certificate, which is present. If there is just one certificate with an inverted tree structure of 5 levels, VERIFY_DEPTH=5 or greater is required. On the other hand, if there are 6 certificates with just one level each (the kind of sample certificates XCOM generates) then VERIFY_DEPTH=1 will be sufficient.

  • The VERIFY_DEPTH value can be set larger than the number of stored certificates and it will not cause a problem.

  • XCOM performs 2-way SSL authentication and INITIATE_SIDE & RECEIVE_SIDE values are used for various parameters in the configssl.cnf file.
    The INITIATE_SIDE refers to the SSL client side, the one which initiates the connection, and RECEIVE_SIDE refers to the SSL server side, the one which receives the connection request from the network. Both INITIATE_SIDE and RECEIVE_SIDE entries are required because XCOM does 2-way SSL authentication so both the SSL client and SSL server certificates are verified at the other end of the connection. Thus for any XCOM SSL transfer, the XCOM initiating side (SSL client) would use the value in the INITIATE_SIDE and the XCOM receiving side would use the value in RECEIVE_SIDE for the entire SSL handshake process.

Additional Information

The documentation will be updated to add information for parameter VERIFY_DEPTH and other configssl.cnf file parameters. That will be done either via the configssl.cnf comments and/or via the techdocs.

Powered by Wolken Software