On Thu Jul 21 08:18:30 2016, mattias.ell...@physics.uu.se wrote: > ons 2016-07-20 klockan 15:14 +0000 skrev Richard Levitte via RT: > > On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: > > > > > > I guess having a more restrictive accessor that only sets the > > > EXFLAG_PROXY bit could work. I suggested the more general solution > > > of > > > having set/clear accessors for arbitrary flags since it was - well > > > more > > > general. > > > > So let me ask this in a different manner, does OpenSSL 1.1 still not > > set the > > EXFLAG_PROXY flag correctly? In what situations does that happen? > > That may be > > worth a bug report of its own. > > > > -- > > Richard Levitte > > levi...@openssl.org > > > > The answer to this is related to Mischa's reply, which unfortunately > was only sent to the Debian BTS and not the the OpenSSL RT. I quote it > below. As indicated in the answer, setting the EXFLAG_PROXY allows > handling non-RFC proxies in OpenSSL. > > mån 2016-07-11 klockan 14:53 +0200 skrev Mischa Salle: > > Hi Richard, Mattias, others, > > > > I agree with you that it would be nice if OpenSSL could figure out > > itself whether a cert needs to be treated as a proxy, but currently > > that > > doesn't work reliably as far as I know. > > The flag is certainly needed in the case of non-RFC3820 proxies, also > > known as legacy proxies. Unfortunately these are still very widely > > used > > (majority of the proxies actually) and hence our code must be able to > > handle them correctly. > > > > Best wishes, > > Mischa Sallé > >
Ok... From looking at the voms code that was linked to earlier, I can see that legacy proxy certs are recognised by an older OID (called PROXYCERTINFO_V3 in the code), 1.3.6.1.4.1.3536.1.222. Is there a spec for the extensions in that version, whether they are critical or not and so on, that I can reach? Or is the OID the only actual difference? If it's easy enough (and it currently does look quite easy), I can certainly see adding some code in OpenSSL to recognise those... -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
