Discussion:
[openssl-dev] [openssl.org #4602] Missing accessors
(too old to reply)
Richard Levitte via RT
2016-07-20 17:10:53 UTC
Permalink
Hi Richard,
I guess having a more restrictive accessor that only sets the
EXFLAG_PROXY bit could work. I suggested the more general solution
of
having set/clear accessors for arbitrary flags since it was - well
more
general.
So let me ask this in a different manner, does OpenSSL 1.1 still not
set the
EXFLAG_PROXY flag correctly? In what situations does that happen?
That may be
worth a bug report of its own.
this ties into my earlier question and example of verifying proxy
certificates. What if I want to explicitly *set* the EXFLAG_PROXY for
a
stack of certificates?
I assume you only want that flag set for actual proxy certs a no other. If you
simply want to make sure the certs in a stack are properly flagged by OpenSSL,
call X509_check_purpose for each of them.
how would I do that? how can I ensure that
OpenSSL 1.1 will automagically trigger this flag for me? Is there a
'get_*' function to determine which flags were set during certificate
verification?
thanks for any pointers or advice,
The function to retrieve the extension flags is X509_get_extension_flags(). You
call that for each X509*.
Incidently, this function calls X509_check_purpose to make sure the caches are
properly built up...

--
Richard Levitte
***@openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Mattias Ellert via RT
2016-07-21 08:18:31 UTC
Permalink
I guess having a more restrictive accessor that only sets the
EXFLAG_PROXY bit could work. I suggested the more general solution of
having set/clear accessors for arbitrary flags since it was - well
more
general.
So let me ask this in a different manner, does OpenSSL 1.1 still not set the
EXFLAG_PROXY flag correctly? In what situations does that happen? That may be
worth a bug report of its own.
--
Richard Levitte
The answer to this is related to Mischa's reply, which unfortunately
was only sent to the Debian BTS and not the the OpenSSL RT. I quote it
below. As indicated in the answer, setting the EXFLAG_PROXY allows
handling non-RFC proxies in OpenSSL.
Hi Richard, Mattias, others,
 
I agree with you that it would be nice if OpenSSL could figure out
itself whether a cert needs to be treated as a proxy, but currently that
doesn't work reliably as far as I know.
The flag is certainly needed in the case of non-RFC3820 proxies, also
known as legacy proxies. Unfortunately these are still very widely used
(majority of the proxies actually) and hence our code must be able to
handle them correctly.
 
Best wishes,
Mischa Sallé
 
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
Loading...