Re: [openssl.org #1949] mod_ssl/openssl failures when more than 85 CAs are configured
Hi Steve, Do you also agree with David's proposal to change the calls to BIO_ctrl(, BIO_CTRL_INFO, ) into BIO_wpending() in ssl/*.c? It seems to make sense to me. Yes, I've applied it to all branches now. Many thanks David. Ticket resolved. Just a postscript to the issue. The above minimal fix was applied to OpenSSL but the lack of a corresponding Apache fix has resulted in some problems, not least of which is renegotiation not working because the server hello request is not flushed. As a result the OpenSSL change has been updated to call BIO_CTRL_INFO and if that returns zero BIO_CTRL_WPENDING. This should now cover all cases. Thanks for that fix and for informing us. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1778] default maximum chain length considered too low
Hi Stephen, [EMAIL PROTECTED] - Thu Nov 06 09:19:52 2008]: Why not increase the default, say, to 100 instead, as Globus did? What did they actually change? Changing the line: 9, /* depth */ in x509_vpm.c should do the trick. Can you confirm this works? Globus calls SSL_CTX_set_verify_depth() with a value of 100: http://viewcvs.globus.org/viewcvs.cgi/gsi/callback/source/library/globus_gsi_callback_constants.h?r1=1.7r2=1.8 So, if that call exactly overrides the value 9 in x509_vpm.c, then setting it to 100 would be equivalent to the Globus fix. I hope the hardcoded depth does not appear in more places? Thanks, Maarten __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
default maximum chain length considered too low
Dear OpenSSL developers, various grid projects have run into the default maximum chain length of 10 being too low. These bug reports show examples: http://bugzilla.globus.org/globus/show_bug.cgi?id=4994 https://savannah.cern.ch/bugs/index.php?37563 The functions SSL_CTX_set_verify_depth() and SSL_set_verify_depth() allow the maximum length to be increased, but this means that every application or library around OpenSSL needs to make such calls. Why not increase the default, say, to 100 instead, as Globus did? Thanks, Maarten (CERN/LCG/EGEE) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
