Bugzilla – Bug 7032
globus-openssl-module pollutes openssl nid space causing authentication failures
Last modified: 2010-06-28 14:26:34
You need to
before you can comment on or make changes to this bug.
The globus-openssl-module re-registers ssl object OIDs already present in the
openssl library. This results in the same OID having more than one nid
registration, which is a major source of proxy certificate verification
The patch available at
fixes this issue by checking if an OID is already registered before registering
it. It also changes places in the code where objects are references by their
"short name" to do the references by OID, since the OIDs are the same in globus
and openssl, but the short names are not. The globus-gsi-proxy-core package
also needs some changes to use the openssl encoding functions when the openssl
registrations are used.
In the same directory is also present the same patch split up per package
affected by the changes, if this is your preference:
I've committed this patch to the 5.0 branch and trunk. I suspect we can refine
this a bit more for 5.2 by removing some of this code, as OpenSSL has had
support for PROXY_CERT_INFO since 0.9.7g (early 2005).