On Mon, Jul 25, 2016 at 01:44:18PM +, Salz, Rich via RT wrote:
> I am not sure what to suggest. This conversation is bouncing across
> two ticket systems and is all about a legacy certificate format that
> is, what, outdated since 2002?
> I am hard-pressed to see why OpenSSL 1.1 has to do anyt
On Mon Jul 25 15:11:10 2016, levitte wrote:
> On Mon Jul 25 14:28:04 2016, levitte wrote:
> > BUT... I'm realising that when you do recognise a GT3 proxy (I think
> > I've seen
> > check_issued functions being used for that), there's no way for
> > external code
> > to set the proxy path length for
On Mon Jul 25 14:28:04 2016, levitte wrote:
> BUT... I'm realising that when you do recognise a GT3 proxy (I think
> I've seen
> check_issued functions being used for that), there's no way for
> external code
> to set the proxy path length for the certificate in question. While
> that's fine
> for
On Mon Jul 25 12:39:43 2016, msa...@nikhef.nl wrote:
> Hi Richard,
>
> On Mon, Jul 25, 2016 at 11:46:50AM +, Richard Levitte via RT
> wrote:
> > Is that code to cope with pathlen checking bugs? That's what it looks
> > to me. In
> > that case, it might no longer be needed with OpenSSL 1.1, alon
I am not sure what to suggest. This conversation is bouncing across two ticket
systems and is all about a legacy certificate format that is, what, outdated
since 2002?
I am hard-pressed to see why OpenSSL 1.1 has to do anything other than what
Richard proposed.
--
Ticket here: http://rt.open
On Mon, Jul 25, 2016 at 12:47:56PM +, Salz, Rich via RT wrote:
>
> > That's exactly what we currently do, we provide a verification callback, but
> > we do need to be able to set the failing cert in a chain for that.
>
> Stick it in EXDAT?
I don't think I understand what you mean...
For a pr
> That's exactly what we currently do, we provide a verification callback, but
> we do need to be able to set the failing cert in a chain for that.
Stick it in EXDAT?
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
On Mon, Jul 25, 2016 at 12:42:21PM +, Salz, Rich via RT wrote:
> Perhaps the GRID folks can just write their own validation routine completely?
That's exactly what we currently do, we provide a verification callback,
but we do need to be able to set the failing cert in a chain for that.
M
Perhaps the GRID folks can just write their own validation routine completely?
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
Hi Richard,
On Mon, Jul 25, 2016 at 11:46:50AM +, Richard Levitte via RT wrote:
> Is that code to cope with pathlen checking bugs? That's what it looks to me.
> In
> that case, it might no longer be needed with OpenSSL 1.1, along with some
> other
> stuff (the subject checking stuff comes to
On Mon Jul 25 11:32:17 2016, msa...@nikhef.nl wrote:
> On Sat, Jul 23, 2016 at 09:44:18AM +, Richard Levitte via RT
> wrote:
> > To get current_cert, it's X509_STORE_CTX_get_current_cert().
> > To get current_issuer, it's X509_STORE_CTX_get0_current_issuer()
>
> Hi Richard,
>
> yes, those I kno
On Sat, Jul 23, 2016 at 09:44:18AM +, Richard Levitte via RT wrote:
> To get current_cert, it's X509_STORE_CTX_get_current_cert().
> To get current_issuer, it's X509_STORE_CTX_get0_current_issuer()
Hi Richard,
yes, those I know, but the problem is the *setting* of the failing cert.
Since we n
To get current_cert, it's X509_STORE_CTX_get_current_cert().
To get current_issuer, it's X509_STORE_CTX_get0_current_issuer()
Those functions are already present in pre-1.1 OpenSSL (at least in the 1.0.2
series)
On Fri Jul 22 15:51:16 2016, msa...@nikhef.nl wrote:
> Hi,
>
> unless I didn't look c
Hi,
Good point, I'll look into that. Also, thanks for the reminder, that HOWTO
needs a rewrite, badly.
Cheers
Richard
On Fri Jul 22 15:51:16 2016, msa...@nikhef.nl wrote:
> Hi,
>
> unless I didn't look careful enough I think we might still be missing
> the current_cert (and current_issuer)
Hi,
unless I didn't look careful enough I think we might still be missing
the current_cert (and current_issuer) from the X509_STORE_CTX, as
advertised in
https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204
and used in e.g.
https://github.com/italiangrid/voms/blob/m
In addition to github PR 1294, there's now also PR 1339 which adds the function
to set the EXFLAG_PROXY flag on a given certificate.
Also, PR 1295 has been updated. Instead of a function that returns a lock,
there is now a lock and an unlock function.
To me, it seems that that covers what's b
On Fri, Jul 22, 2016 at 09:38:13AM +0200, Mattias Ellert wrote:
> tor 2016-07-21 klockan 09:51 + skrev Richard Levitte via RT:
> > On Thu Jul 21 08:18:30 2016, mattias.ell...@physics.uu.se wrote:
> > >
> > > ons 2016-07-20 klockan 15:14 + skrev Richard Levitte via RT:
> > > >
> > > > On M
On Fri Jul 22 07:38:25 2016, mattias.ell...@physics.uu.se wrote:
> tor 2016-07-21 klockan 09:51 + skrev Richard Levitte via RT:
> > On Thu Jul 21 08:18:30 2016, mattias.ell...@physics.uu.se wrote:
> > >
> > > ons 2016-07-20 klockan 15:14 + skrev Richard Levitte via RT:
> > > >
> > > > On Mo
tor 2016-07-21 klockan 09:51 + skrev Richard Levitte via RT:
> On Thu Jul 21 08:18:30 2016, mattias.ell...@physics.uu.se wrote:
> >
> > ons 2016-07-20 klockan 15:14 + skrev Richard Levitte via RT:
> > >
> > > On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote:
> > > >
> > >
(Dropping the Debian bug from Cc)
On Wed, 2016-07-20 at 15:11 +, Richard Levitte via RT wrote:
> On Mon Jul 11 14:04:22 2016, dw...@infradead.org wrote:
> > I was using store.get_issuer() in OpenConnect too, because I need to
> > manually build the trust chain to include it on the wire — becau
On Mon, Jul 11, 2016 at 02:53:05PM +0200, Mischa Salle wrote:
> Hi Richard, Mattias, others,
>
> I agree with you that it would be nice if OpenSSL could figure out
> itself whether a cert needs to be treated as a proxy, but currently that
> doesn't work reliably as far as I know.
> The flag is cer
On Thu Jul 21 08:18:30 2016, mattias.ell...@physics.uu.se wrote:
> ons 2016-07-20 klockan 15:14 + skrev Richard Levitte via RT:
> > On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote:
> > >
> > > I guess having a more restrictive accessor that only sets the
> > > EXFLAG_PROXY bit c
ons 2016-07-20 klockan 15:14 + skrev Richard Levitte via RT:
> On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote:
> >
> > I guess having a more restrictive accessor that only sets the
> > EXFLAG_PROXY bit could work. I suggested the more general solution of
> > having set/clear a
Hi Richard,
On 20/07/16 17:14, Richard Levitte via RT wrote:
> On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote:
>> I guess having a more restrictive accessor that only sets the
>> EXFLAG_PROXY bit could work. I suggested the more general solution of
>> having set/clear accessors fo
On Mon Jul 11 14:04:22 2016, dw...@infradead.org wrote:
> I was using store.get_issuer() in OpenConnect too, because I need to
> manually build the trust chain to include it on the wire — because
> even today the server might *still* suffer RT#1942 and fail to trust
> our client cert unless we help
On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote:
> I guess having a more restrictive accessor that only sets the
> EXFLAG_PROXY bit could work. I suggested the more general solution of
> having set/clear accessors for arbitrary flags since it was - well
> more
> general.
So let me
On Mon, 2016-07-11 at 13:08 +, Mattias Ellert via RT wrote:
>
>
> Looking at the various places in the code where get_issuer
> and check_issued are accessed, they mostly use the context rather than
> the store. Here are the places I have found:
>
> https://sources.debian.net/src/nordugrid-ar
fre 2016-07-08 klockan 06:08 + skrev Richard Levitte via RT:
> On Thu Jul 07 21:29:09 2016, levitte wrote:
> > On Sat Jul 02 10:59:38 2016, k...@roeckx.be wrote:
> > > /* Add to include/openssl/x509_vfy.h : */
> > >
> > > typedef int (*X509_STORE_CTX_get_issuer)(X509 **issuer,
> > > X509_STORE
On Thu Jul 07 21:29:09 2016, levitte wrote:
> On Sat Jul 02 10:59:38 2016, k...@roeckx.be wrote:
> > /* Add to include/openssl/x509_vfy.h : */
> >
> > typedef int (*X509_STORE_CTX_get_issuer)(X509 **issuer, X509_STORE_CTX
> > *ctx, X509 *x);
> > typedef int (*X509_STORE_CTX_check_issued)(X509_STORE
forwarded 829272
https://rt.openssl.org/Ticket/Display.html?id=4602&user=guest&pass=guest
thanks
On Fri, Jul 01, 2016 at 10:52:40PM +0200, Mattias Ellert wrote:
>
> I got a lot of bugs filed about packages FTBFS with openssl 1.1.0.
> I started to look at some of them, and many of them are due to
Package: openssl
Version: 1.1.0~pre5-4
Severity: important
Control: block 828316 by -1
Control: block 828318 by -1
Control: block 828595 by -1
Hi!
I got a lot of bugs filed about packages FTBFS with openssl 1.1.0.
I started to look at some of them, and many of them are due too
structures having b
31 matches
Mail list logo