[openssl-dev] [openssl.org #4622] OpenSSL doesn't recognise pre-rfc3820 proxy certs
Richard Levitte
levitte at openssl.org
Fri Jul 22 14:23:25 UTC 2016
In message <6106b2ad-a457-df2e-2ff2-627a8fc1ca64 at nikhef.nl> on Fri, 22 Jul 2016 16:10:45 +0200, Jan Just Keijser <janjust at nikhef.nl> said:
janjust> Hi Rich,
janjust>
janjust> On 22/07/16 14:52, Salz, Rich via RT wrote:
janjust> > And now, with subject clearly stated, I think we should not do this.
janjust> >
janjust>
janjust>
janjust> the original question related to this ticket was the missing accessors
janjust> in OpenSSL 1.1. I fully agree that OpenSSL should not add support for
janjust> pre-RFC3820 proxy, but it should allow others to write code to support
janjust> it. That's the way OpenSSL 0.9.x and 1.0.x did it: the Globus and Voms
janjust> people added their own handlers to the OpenSSL callbacks in order to
janjust> support GT2, GT3 and RFC3820 (aka GT4) proxies. With OpenSSL 1.1, some
janjust> of these handlers/callbacks seem to have been removed.
janjust>
janjust> If OpenSSL 1.1 does not allow this, then the existing grid codebase is
janjust> "stuck" with OpenSSL 1.0.x until all users start using RFC3820
janjust> proxies. Again, I support the notion that people should have started
janjust> using these back in 2008 but the reality is that we in "Grid land" are
janjust> stuck with "legacy" proxies for some time. It would be a shame if we
janjust> cannot use OpenSSL 1.1+ on the grid.
Ok,
I can't say that I quite agree, mostly because it means that
"everyone" will have to implement those same handled (I've had a look
at the globus, voms and canl code, and keep noticing copies of more or
less the exact same callback source in all of them).
But, I'm listening, and I've had some internal discussion around this.
There's already been discussions around accessor functions, and
https://github.com/openssl/openssl/pull/1294 covers quite a lot
(please have a look! I get way too few comments), and what's primarly
needed outside of that is a way to set the EXFLAG_PROXY flag on a X509*.
Correct? For function names, I'm thinking that something as easy as
X509_cache_proxy_flag(X509 *x)
Cheers,
Richard
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
More information about the openssl-dev
mailing list