[openssl.org #4622] OpenSSL doesn't recognise pre-rfc3820 proxy certs

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #4622] OpenSSL doesn't recognise pre-rfc3820 proxy certs

Rich Salz via RT
Forgive me for being sloppy, I forgot to add a subject. Now added, it says what
the actual issue is.

On Fri Jul 22 11:32:27 2016, levitte wrote:

> Ticket derived from RT4602 (missing accessors)
>
> Reports have been coming in that in the grid world, there are two pre-
> rfc3820
> forms of proxy certs still being used.
>
> Old (pre-draft) format: Looks like a regular EE cert, but has been
> issued by
> another EE (real or proxy), and can be recognised by having the issuer
> name as
> subject name with an extra CN appended, either 'CN=proxy' or
> 'CN=limited proxy'
>
> draft format: looks like a RFC3820 proxy cert, but uses OID
> 1.3.6.1.4.1.3536.1.222 instead of the RFC3820 OID for proxyCertInfo.
>
> Cc to Mattias and Mischa, who have provided valuable info on this
> issue in
> RT4602. Guys, I hope it was ok to add you. If not, please tell me and
> I'll take
> you off this ticket.
>
> --
> Richard Levitte
> [hidden email]


--
Richard Levitte
[hidden email]

--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4622
Please log in as guest with password guest if prompted

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4622] OpenSSL doesn't recognise pre-rfc3820 proxy certs

Rich Salz via RT
And now, with subject clearly stated, I think we should not do this.


--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4622
Please log in as guest with password guest if prompted

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4622] OpenSSL doesn't recognise pre-rfc3820 proxy certs

Jan Just Keijser-2
Hi Rich,

On 22/07/16 14:52, Salz, Rich via RT wrote:
> And now, with subject clearly stated, I think we should not do this.
>


the original question related to this ticket was the missing accessors
in OpenSSL 1.1. I fully agree that OpenSSL should not add support for
pre-RFC3820 proxy, but it should allow others to write code to support
it. That's the way OpenSSL 0.9.x and 1.0.x did it: the Globus and Voms
people added their own handlers to the OpenSSL callbacks in order to
support GT2, GT3 and RFC3820 (aka GT4) proxies. With OpenSSL 1.1, some
of these handlers/callbacks seem to have been removed.

If OpenSSL 1.1 does not allow this, then the existing grid codebase is
"stuck" with OpenSSL 1.0.x until all users start using RFC3820 proxies.
Again, I support the notion that people should have started using these
back in 2008 but the reality is that we in "Grid land" are stuck with
"legacy" proxies for some time. It would be a shame if we cannot use
OpenSSL 1.1+ on the grid.

JM2CW,

JJK / Jan Just Keijser

PS I'm a co-worker of Mischa Salle

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4622] OpenSSL doesn't recognise pre-rfc3820 proxy certs

Richard Levitte - VMS Whacker-2
In message <[hidden email]> on Fri, 22 Jul 2016 16:10:45 +0200, Jan Just Keijser <[hidden email]> said:

janjust> Hi Rich,
janjust>
janjust> On 22/07/16 14:52, Salz, Rich via RT wrote:
janjust> > And now, with subject clearly stated, I think we should not do this.
janjust> >
janjust>
janjust>
janjust> the original question related to this ticket was the missing accessors
janjust> in OpenSSL 1.1. I fully agree that OpenSSL should not add support for
janjust> pre-RFC3820 proxy, but it should allow others to write code to support
janjust> it. That's the way OpenSSL 0.9.x and 1.0.x did it: the Globus and Voms
janjust> people added their own handlers to the OpenSSL callbacks in order to
janjust> support GT2, GT3 and RFC3820 (aka GT4) proxies. With OpenSSL 1.1, some
janjust> of these handlers/callbacks seem to have been removed.
janjust>
janjust> If OpenSSL 1.1 does not allow this, then the existing grid codebase is
janjust> "stuck" with OpenSSL 1.0.x until all users start using RFC3820
janjust> proxies. Again, I support the notion that people should have started
janjust> using these back in 2008 but the reality is that we in "Grid land" are
janjust> stuck with "legacy" proxies for some time. It would be a shame if we
janjust> cannot use OpenSSL 1.1+ on the grid.

Ok,

I can't say that I quite agree, mostly because it means that
"everyone" will have to implement those same handled (I've had a look
at the globus, voms and canl code, and keep noticing copies of more or
less the exact same callback source in all of them).

But, I'm listening, and I've had some internal discussion around this.

There's already been discussions around accessor functions, and
https://github.com/openssl/openssl/pull/1294 covers quite a lot
(please have a look!  I get way too few comments), and what's primarly
needed outside of that is a way to set the EXFLAG_PROXY flag on a X509*.
Correct?  For function names, I'm thinking that something as easy as
X509_cache_proxy_flag(X509 *x)

Cheers,
Richard

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

[openssl.org #4622] OpenSSL doesn't recognise pre-rfc3820 proxy certs

Rich Salz via RT
In reply to this post by Rich Salz via RT
On Fri Jul 22 12:52:18 2016, [hidden email] wrote:
> And now, with subject clearly stated, I think we should not do this.

After some discussion, we decided to abandon this line of thought and get back
to accessors as off RT4602.

Closing this ticket.

--
Richard Levitte
[hidden email]

--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4622
Please log in as guest with password guest if prompted

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4622] OpenSSL doesn't recognise pre-rfc3820 proxy certs

Salz, Rich
In reply to this post by Jan Just Keijser-2
I understand, and I think Richard will provide the hooks you need.

But this is, as you say, stuff that is eight years old....
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev