Re: [VOTE] Improved TLS Defaults RFC
Hi,
On 11 February 2014 21:53, Daniel Lowrey <[email protected]> wrote:
> On Tue, Feb 11, 2014 at 4:16 PM, Stas Malyshev <[email protected]>wrote:
>> - What is the motivation for verify_depth default of 3? RFC does not say
>> anything on it.
>>
>>
> I admit this one is a somewhat arbitrary limit (which explains the lack of
> explanation in the wiki text). OpenSSL will default to a limit of 9 if we
> don't specify one ourselves, so there's not really that much to be gained
> by using a default of 3. After considering this a bit more I think it best
> to eliminate the addition of a default value in this area altogether. I
> will update the RFC and patch accordingly.
It’s partly arbitrary. The main reason for minimising depth, as far as
I’m aware, is to minimise the cost of TLS. It’s an expensive operation
(even for the client) and having an infinite depth may, as far as I
know, be a potential DOS risk. The general values used are 3-6
reflecting real world use. A requirement for a value above this would
indicate potential issues with the server. This may be something of a
historical artifact since I cannot remember where I heard it. I do
know that DOS against SSL servers used to justify limiting this value
for certain.
Paddy may need a memory upgrade…
--
Pádraic Brady
http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative
Thread (16 messages)