Re: [openssl-dev] [openssl.org #4602] Missing accessors

In message <20160803142331.gd2...@nikhef.nl> on Wed, 3 Aug 2016 16:23:31 +0200, Mischa Salle said: msalle> On Wed, Aug 03, 2016 at 03:41:55PM +0200, Richard Levitte wrote: msalle> > msalle> By the way, even for RFC proxies I still have the problem that setting msalle> >

Re: [openssl-dev] [openssl.org #4602] Missing accessors

In message <20160803.154155.2198714958292922881.levi...@openssl.org> on Wed, 03 Aug 2016 15:41:55 +0200 (CEST), Richard Levitte said: levitte> In message <20160803131344.gb2...@nikhef.nl> on Wed, 3 Aug 2016 15:13:44 +0200, Mischa Salle said: levitte>

Re: [openssl-dev] [openssl.org #4602] Missing accessors

In message <20160803131344.gb2...@nikhef.nl> on Wed, 3 Aug 2016 15:13:44 +0200, Mischa Salle said: msalle> Hi Richard, msalle> msalle> apologies for the delayed answer, I was caught up in work... msalle> msalle> On Tue, Jul 26, 2016 at 05:50:14PM +0200, Richard Levitte

Re: [openssl-dev] [openssl.org #4602] Missing accessors

In message <20160726095226.gc2...@nikhef.nl> on Tue, 26 Jul 2016 11:52:26 +0200, Mischa Salle said: msalle> Hi Richard, msalle> msalle> Although I haven't looked at all our code in detail (there is quite a msalle> lot and it is old code which we mostly inherited from others

Re: [openssl-dev] [openssl.org #4602] Missing accessors

In message on Mon, 25 Jul 2016 15:51:47 +, "msa...@nikhef.nl via RT" said: rt> The point is that if OpenSSL is providing a verification callback which rt> can be used to provide a custom verification of the cert chain,

Re: [openssl-dev] [openssl.org #4602] Missing accessors

In message on Mon, 25 Jul 2016 15:51:47 +, "msa...@nikhef.nl via RT" said: rt> On Mon, Jul 25, 2016 at 01:44:18PM +, Salz, Rich via RT wrote: rt> > I am not sure what to suggest. This conversation is bouncing

Re: [openssl-dev] [openssl.org #4602] Missing accessors

On Mon, Jul 25, 2016 at 01:44:18PM +, Salz, Rich via RT wrote: > I am not sure what to suggest. This conversation is bouncing across > two ticket systems and is all about a legacy certificate format that > is, what, outdated since 2002? > I am hard-pressed to see why OpenSSL 1.1 has to do

Re: [openssl-dev] [openssl.org #4602] Missing accessors

I am not sure what to suggest. This conversation is bouncing across two ticket systems and is all about a legacy certificate format that is, what, outdated since 2002? I am hard-pressed to see why OpenSSL 1.1 has to do anything other than what Richard proposed. -- Ticket here:

Re: [openssl-dev] [openssl.org #4602] Missing accessors

I am not sure what to suggest. This conversation is bouncing across two ticket systems and is all about a legacy certificate format that is, what, outdated since 2002? I am hard-pressed to see why OpenSSL 1.1 has to do anything other than what Richard proposed. -- openssl-dev mailing list To

Re: [openssl-dev] [openssl.org #4602] Missing accessors

On Mon, Jul 25, 2016 at 12:47:56PM +, Salz, Rich via RT wrote: > > > That's exactly what we currently do, we provide a verification callback, but > > we do need to be able to set the failing cert in a chain for that. > > Stick it in EXDAT? I don't think I understand what you mean... For a

Re: [openssl-dev] [openssl.org #4602] Missing accessors

> That's exactly what we currently do, we provide a verification callback, but > we do need to be able to set the failing cert in a chain for that. Stick it in EXDAT? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted --

Re: [openssl-dev] [openssl.org #4602] Missing accessors

On Mon, Jul 25, 2016 at 12:42:21PM +, Salz, Rich via RT wrote: > Perhaps the GRID folks can just write their own validation routine completely? That's exactly what we currently do, we provide a verification callback, but we do need to be able to set the failing cert in a chain for that.

Re: [openssl-dev] [openssl.org #4602] Missing accessors

Perhaps the GRID folks can just write their own validation routine completely? -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4602] Missing accessors

Perhaps the GRID folks can just write their own validation routine completely? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] [openssl.org #4602] Missing accessors

Hi Richard, On Mon, Jul 25, 2016 at 11:46:50AM +, Richard Levitte via RT wrote: > Is that code to cope with pathlen checking bugs? That's what it looks to me. > In > that case, it might no longer be needed with OpenSSL 1.1, along with some > other > stuff (the subject checking stuff comes

Re: [openssl-dev] [openssl.org #4602] Missing accessors

On Sat, Jul 23, 2016 at 09:44:18AM +, Richard Levitte via RT wrote: > To get current_cert, it's X509_STORE_CTX_get_current_cert(). > To get current_issuer, it's X509_STORE_CTX_get0_current_issuer() Hi Richard, yes, those I know, but the problem is the *setting* of the failing cert. Since we

Re: [openssl-dev] [openssl.org #4602] Missing accessors

On Fri, Jul 22, 2016 at 09:38:13AM +0200, Mattias Ellert wrote: > tor 2016-07-21 klockan 09:51 + skrev Richard Levitte via RT: > > On Thu Jul 21 08:18:30 2016, mattias.ell...@physics.uu.se wrote: > > > > > > ons 2016-07-20 klockan 15:14 + skrev Richard Levitte via RT: > > > > > > > > On

Re: [openssl-dev] [openssl.org #4602] Missing accessors

tor 2016-07-21 klockan 09:51 + skrev Richard Levitte via RT: > On Thu Jul 21 08:18:30 2016, mattias.ell...@physics.uu.se wrote: > > > > ons 2016-07-20 klockan 15:14 + skrev Richard Levitte via RT: > > > > > > On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: > > > > > > >

Re: [openssl-dev] [openssl.org #4602] Missing accessors

(Dropping the Debian bug from Cc) On Wed, 2016-07-20 at 15:11 +, Richard Levitte via RT wrote: > On Mon Jul 11 14:04:22 2016, dw...@infradead.org wrote: > > I was using store.get_issuer() in OpenConnect too, because I need to > > manually build the trust chain to include it on the wire —

Re: [openssl-dev] [openssl.org #4602] Missing accessors

(Dropping the Debian bug from Cc) On Wed, 2016-07-20 at 15:11 +, Richard Levitte via RT wrote: > On Mon Jul 11 14:04:22 2016, dw...@infradead.org wrote: > > I was using store.get_issuer() in OpenConnect too, because I need to > > manually build the trust chain to include it on the wire —

Re: [openssl-dev] [openssl.org #4602] Missing accessors

ons 2016-07-20 klockan 15:14 + skrev Richard Levitte via RT: > On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: > > > > I guess having a more restrictive accessor that only sets the > > EXFLAG_PROXY bit could work. I suggested the more general solution of > > having set/clear

Re: [openssl-dev] [openssl.org #4602] Missing accessors

Hi Richard, On 20/07/16 17:14, Richard Levitte via RT wrote: > On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: >> I guess having a more restrictive accessor that only sets the >> EXFLAG_PROXY bit could work. I suggested the more general solution of >> having set/clear accessors

Re: [openssl-dev] [openssl.org #4602] Missing accessors

Hi Richard, On 20/07/16 17:14, Richard Levitte via RT wrote: On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: I guess having a more restrictive accessor that only sets the EXFLAG_PROXY bit could work. I suggested the more general solution of having set/clear accessors for

Re: [openssl-dev] [openssl.org #4602] Missing accessors

On Mon, 2016-07-11 at 13:08 +, Mattias Ellert via RT wrote: > > > Looking at the various places in the code where get_issuer > and check_issued are accessed, they mostly use the context rather than > the store. Here are the places I have found: > >

Re: [openssl-dev] [openssl.org #4602] Missing accessors

On Mon, 2016-07-11 at 13:08 +, Mattias Ellert via RT wrote: > > > Looking at the various places in the code where get_issuer > and check_issued are accessed, they mostly use the context rather than > the store. Here are the places I have found: > >

Re: [openssl-dev] [openssl.org #4602] Missing accessors

fre 2016-07-08 klockan 06:08 + skrev Richard Levitte via RT: > On Thu Jul 07 21:29:09 2016, levitte wrote: > > On Sat Jul 02 10:59:38 2016, k...@roeckx.be wrote: > > > /* Add to include/openssl/x509_vfy.h : */ > > > > > > typedef int (*X509_STORE_CTX_get_issuer)(X509 **issuer, > > >

Re: [openssl-dev] [openssl.org #4602] Missing accessors

fre 2016-07-08 klockan 00:42 +0200 skrev Kurt Roeckx: > On Thu, Jul 07, 2016 at 09:40:24PM +, Richard Levitte via RT > wrote: > > On Sat Jul 02 10:59:38 2016, k...@roeckx.be wrote: > > > /* Add to include/openssl/x509v3.h */ > > > > > > void X509_set_extension_flags(X509 *x, uint32_t

Re: [openssl-dev] [openssl.org #4602] Missing accessors

On Thu, Jul 07, 2016 at 09:40:24PM +, Richard Levitte via RT wrote: > On Sat Jul 02 10:59:38 2016, k...@roeckx.be wrote: > > /* Add to include/openssl/x509v3.h */ > > > > void X509_set_extension_flags(X509 *x, uint32_t ex_flags); > > void X509_clear_extension_flags(X509 *x, uint32_t ex_flags);

Re: [openssl-dev] [openssl.org #4602] Missing accessors

On Thu, Jul 07, 2016 at 09:40:24PM +, Richard Levitte via RT wrote: > On Sat Jul 02 10:59:38 2016, k...@roeckx.be wrote: > > /* Add to include/openssl/x509v3.h */ > > > > void X509_set_extension_flags(X509 *x, uint32_t ex_flags); > > void X509_clear_extension_flags(X509 *x, uint32_t ex_flags);

Re: [openssl-dev] [openssl.org #4602] Missing accessors

I think we should ask kurt to ask the original reporter what they need to do. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: