Incorrect value matching on auth-tls-verify-depth annotation

[Marek-Madi]

What happened: When specified annotation for auth-tls-verify-depth, the number doesn't corespond to actual depth of the client certificate validated

We have client certificate which is 3 levels deep in the CA Chain, meaning - clien_cert <- intermediate1 <- intermediate2 <- CA We expect that when annotation of verify-depth is set to 2 the validation would fail but for some reason it works

What you expected to happen: We expect that when annotation of verify-depth is set to 2 the validation would fail but for some reason it works, since the client certificate is in depth of 3

I am not sure if this might be the case where in https://github.com/nginx/nginx-tests/blob/7a9e95fdd30729540ee9650be7f991c330367d5b/ssl_verify_depth.t#L145 it says with OpenSSL 1.1.0+ the verify depth behaves differently and checks one more certificate level than it is specified in the depth value

OpenSSL 1.1.0+ instead limits the number of intermediate certs allowed so with depth 1 it is possible to validate not only directly signed certificates, but also chains with one intermediate certificate

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):

NGINX Ingress controller
  Release:       v1.2.1
  Build:         08848d69e0c83992c89da18e70ea708752f21d7a
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.19.10

Kubernetes version (use kubectl version): v1.27.5-gke.200

Environment: Google Cloud

• Cloud provider or hardware configuration: GCP

• OS (e.g. from /etc/os-release):

• Kernel (e.g. uname -a):

• How was the ingress-nginx-controller installed: We are using Anthos Config Management with following deployment yaml - https://github.com/kubernetes/ingress-nginx/blob/controller-v1.2.1/deploy/static/provider/cloud/1.21/deploy.yaml

How to reproduce this issue: Deploy ingress object with mTLS enabled with verify depth set to 2

nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "2"
nginx.ingress.kubernetes.io/auth-tls-secret: <namespace>/CA-cert-secret

And run curl request to the service using the client certificate which has 2 intermediate CAs in the CA Chain (clien_cert <- intermediate1 <- intermediate2 <- CA)

curl -v --cert certificate.crt --key prv_rsa.pem https://svc.example.com

Anything else we need to know:

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.