ssl_verify_depth
The ssl_verify_depth directive specifies the maximum depth of the CA certificate chain to be trusted during SSL/TLS client authentication.
Description
The ssl_verify_depth directive is used in the context of NGINX's SSL module to set the maximum permitted depth of a chain of certificate authorities (CAs) for SSL/TLS client authentication. This depth is specified as an integer value that indicates how many CA certificates may be present in the chain of trust presented by the client certificate. If a connection presents a certificate chain with a length greater than the value set by this directive, the connection will be rejected.
The directive can be particularly useful in environments where client authentication is required, ensuring that only a limited number of intermediary CAs are allowed in the validation path. By enforcing a maximum depth, server administrators can better control the trust relationship and mitigate potential risks from overly deep or untrusted certificate chains.
For instance, setting the ssl_verify_depth to 1 means that the server will only trust a certificate that has either a direct trusted issuer (a root CA), or a chain that includes a single intermediary CA. This helps in defining a strict CA hierarchy and can prevent potential security issues arising from deep chains of trust where an untrusted CA might be included.
Config Example
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
ssl_client_certificate /etc/ssl/certs/ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
}Ensure that the value set does not excessively limit trust; consult your CA hierarchy before determining the depth.
A chain longer than the specified depth will lead to connection rejections, which may affect user access if misconfigured.