Darren, On Thu, Jun 17, 2010 at 10:54:54AM +0100, Darren J Moffat wrote: > I'm restarting this case, given the previous review and the fact > that this just addresses the issues it brought up I'm marking it > closed approved now. If anyone things it needs further review I'll > start a timer.
This may need further review. In the 10 months that have passed since I initially commented on this proposal, OpenSSL 1.0.0 has been released, and there are interoperability problems between 0.9.8 and 1.0.0. Unfortunately, these pertain directly to how CA certificates are hashed and looked up when stored in a CA directory. > Proposal > -------- <snip> > A separate X.509 certificate in PEM format for each CA will be placed > in /etc/certs/CA/. The files will be named by taking the X.509 DN and > replacing the spaces and other unprintables with an '_'. A symlink > named using the 'openssl x509 hash' command to each of those PEM files > is also created for those consumers that do fast lookups using a hash > of the cert DN. Do we ever anticipate having both OpenSSL 0.9.8 and 1.0.0 installed on a machine at the same time? If so, or if we allow these libraries to be interchangable, the method that is used to compute the X.509 DN hash in 0.9.8 is different from 1.0.0. If we'd like these CA certs to be usable by both library versions, we'll need to create symlinks in 0.9.8 and 1.0.0 format that both point to the underlying CA certificate. There is slightly more detail on the problem here, though it is in the context of Postfix. http://tech.groups.yahoo.com/group/postfix-users/message/265662 -j _______________________________________________ opensolaris-arc mailing list [email protected]
