From 23fc810b3c979bc0207e370da939e1d2d8dc7f77 Mon Sep 17 00:00:00 2001
From: Hideki Miyazaki <hide@wolfssl.com>
Date: Fri, 18 Jun 2021 11:10:13 +0900
Subject: [PATCH] added more context

---
 src/internal.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index dbdc5dbb4..570f43cb4 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -12397,7 +12397,11 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
             }
 
         #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
-            /* limit compliant with OpenSSL verify Depth + 1 */
+           /* limit compliant with OpenSSL verify Depth + 1
+            * OpenSSL tries to expand the chain one longer than limit until
+            * reaching an ultimately trusted issuer. Becoming failure if
+            * we hit the limit, with X509_V_ERR_CERT_CHAIN_TOO_LONG
+            */
             if (args->untrustedDepth > (ssl->options.verifyDepth + 1)) {
                 ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
                 ret = MAX_CHAIN_ERROR;