In message <6106b2ad-a457-df2e-2ff2-627a8fc1c...@nikhef.nl> on Fri, 22 Jul 2016 16:10:45 +0200, Jan Just Keijser <janj...@nikhef.nl> said:
janjust> Hi Rich, janjust> janjust> On 22/07/16 14:52, Salz, Rich via RT wrote: janjust> > And now, with subject clearly stated, I think we should not do this. janjust> > janjust> janjust> janjust> the original question related to this ticket was the missing accessors janjust> in OpenSSL 1.1. I fully agree that OpenSSL should not add support for janjust> pre-RFC3820 proxy, but it should allow others to write code to support janjust> it. That's the way OpenSSL 0.9.x and 1.0.x did it: the Globus and Voms janjust> people added their own handlers to the OpenSSL callbacks in order to janjust> support GT2, GT3 and RFC3820 (aka GT4) proxies. With OpenSSL 1.1, some janjust> of these handlers/callbacks seem to have been removed. janjust> janjust> If OpenSSL 1.1 does not allow this, then the existing grid codebase is janjust> "stuck" with OpenSSL 1.0.x until all users start using RFC3820 janjust> proxies. Again, I support the notion that people should have started janjust> using these back in 2008 but the reality is that we in "Grid land" are janjust> stuck with "legacy" proxies for some time. It would be a shame if we janjust> cannot use OpenSSL 1.1+ on the grid. Ok, I can't say that I quite agree, mostly because it means that "everyone" will have to implement those same handled (I've had a look at the globus, voms and canl code, and keep noticing copies of more or less the exact same callback source in all of them). But, I'm listening, and I've had some internal discussion around this. There's already been discussions around accessor functions, and https://github.com/openssl/openssl/pull/1294 covers quite a lot (please have a look! I get way too few comments), and what's primarly needed outside of that is a way to set the EXFLAG_PROXY flag on a X509*. Correct? For function names, I'm thinking that something as easy as X509_cache_proxy_flag(X509 *x) Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
