[openssl-dev] [openssl.org #4622] OpenSSL doesn't recognise pre-rfc3820 proxy certs
Jan Just Keijser
janjust at nikhef.nl
Fri Jul 22 14:10:45 UTC 2016
Hi Rich,
On 22/07/16 14:52, Salz, Rich via RT wrote:
> And now, with subject clearly stated, I think we should not do this.
>
the original question related to this ticket was the missing accessors
in OpenSSL 1.1. I fully agree that OpenSSL should not add support for
pre-RFC3820 proxy, but it should allow others to write code to support
it. That's the way OpenSSL 0.9.x and 1.0.x did it: the Globus and Voms
people added their own handlers to the OpenSSL callbacks in order to
support GT2, GT3 and RFC3820 (aka GT4) proxies. With OpenSSL 1.1, some
of these handlers/callbacks seem to have been removed.
If OpenSSL 1.1 does not allow this, then the existing grid codebase is
"stuck" with OpenSSL 1.0.x until all users start using RFC3820 proxies.
Again, I support the notion that people should have started using these
back in 2008 but the reality is that we in "Grid land" are stuck with
"legacy" proxies for some time. It would be a shame if we cannot use
OpenSSL 1.1+ on the grid.
JM2CW,
JJK / Jan Just Keijser
PS I'm a co-worker of Mischa Salle
More information about the openssl-dev
mailing list