[gnutls-devel] GnuTLS | Consider aligning with OpenSSL's default of 100 for max certificate chain verify depth (#1893)

[Read-only notification of GnuTLS library development activities]

Issue created by Satya Jhaveri: https://gitlab.com/gnutls/gnutls/-/work_items/1893



## Description:

The default of 16 for max verify depth is too low for some real-world chains.

The constraint is triggered in `_gnutls_x509_cert_verify_peers`:   

```c
if (info->ncerts > cred->verify_depth && cred->verify_depth > 0) {
	gnutls_assert();
	return GNUTLS_E_CONSTRAINT_ERROR;
}
```

A chain with more than 16 certificates causes `GNUTLS_E_CONSTRAINT_ERROR` (-101),which surfaces to applications as a verification failure.

The value of 16 is used as a defense against DOS attacks. I'm asking what the motivation for the choice of 16 as a threshold is. OpenSSL defaults to 100, and there are legitimate chains that exceed 16 certificates in length. A limit of 100 still provides meaningful DoS protection, while avoiding breaking real-world deployments. I'd welcome the maintainer's view on where the right balance for this lies.

## Version of gnutls used: 3.73

## Distributor of gnutls: Ubuntu (22.04.5 LTS)

## How reproducible:

Steps to Reproduce:

* Generate a root CA, an intermediate CA cross-signed by over 16 alternate roots, and a leaf certificate
* Serve the full chain and attempt to connect via any client using GnuTLS
* The connection will fail with error -101

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1893
You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/5-dg2eqoezg1ux5bhi6aa4sztdk-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260528/c86189a8/attachment.html>