Bug 7032 - globus-openssl-module pollutes openssl nid space causing authentication failures
: globus-openssl-module pollutes openssl nid space causing authentication failures
Status: RESOLVED FIXED
: GSI C
Authentication
: 5.0.1
: NorduGrid All
: P3 major
: 5.0.2
Assigned To:
: http://www.grid.tsl.uu.se/repos/globu...
:
:
:
  Show dependency treegraph
 
Reported: 2010-06-02 08:12 by
Modified: 2010-06-28 14:26 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2010-06-02 08:12:57
The globus-openssl-module re-registers ssl object OIDs already present in the
openssl library. This results in the same OID having more than one nid
registration, which is a major source of proxy certificate verification
failures.

The patch available at

http://www.grid.tsl.uu.se/repos/globus/info/globus-oid-merged.patch

fixes this issue by checking if an OID is already registered before registering
it. It also changes places in the code where objects are references by their
"short name" to do the references by OID, since the OIDs are the same in globus
and openssl, but the short names are not. The globus-gsi-proxy-core package
also needs some changes to use the openssl encoding functions when the openssl
registrations are used.

In the same directory is also present the same patch split up per package
affected by the changes, if this is your preference:

globus-gsi-callback-oid.patch
globus-gsi-cert-utils-oid.patch
globus-gsi-credential-oid.patch
globus-gsi-proxy-core-oid.patch
globus-gsi-proxy-ssl-oid.patch
globus-openssl-module-oid.patch
globus-proxy-utils-oid.patch
------- Comment #1 From 2010-06-28 14:26:34 -------
I've committed this patch to the 5.0 branch and trunk. I suspect we can refine
this a bit more for 5.2 by removing some of this code, as OpenSSL has had
support for PROXY_CERT_INFO since 0.9.7g (early 2005).