And now, with subject clearly stated, I think we should not do this.

Hi Rich,
the original question related to this ticket was the missing accessors
in OpenSSL 1.1. I fully agree that OpenSSL should not add support for
pre-RFC3820 proxy, but it should allow others to write code to support
it. That's the way OpenSSL 0.9.x and 1.0.x did it: the Globus and Voms
people added their own handlers to the OpenSSL callbacks in order to
support GT2, GT3 and RFC3820 (aka GT4) proxies. With OpenSSL 1.1, some
of these handlers/callbacks seem to have been removed.

If OpenSSL 1.1 does not allow this, then the existing grid codebase is
"stuck" with OpenSSL 1.0.x until all users start using RFC3820 proxies.
Again, I support the notion that people should have started using these
back in 2008 but the reality is that we in "Grid land" are stuck with
"legacy" proxies for some time. It would be a shame if we cannot use
OpenSSL 1.1+ on the grid.

JM2CW,

JJK / Jan Just Keijser

PS I'm a co-worker of Mischa Salle

In message <6106b2ad-a457-df2e-2ff2-***@nikhef.nl> on Fri, 22 Jul 2016 16:10:45 +0200, Jan Just Keijser <***@nikhef.nl> said:

janjust> Hi Rich,
janjust>
janjust> On 22/07/16 14:52, Salz, Rich via RT wrote:
janjust> > And now, with subject clearly stated, I think we should not do this.
janjust> >
janjust>
janjust>
janjust> the original question related to this ticket was the missing accessors
janjust> in OpenSSL 1.1. I fully agree that OpenSSL should not add support for
janjust> pre-RFC3820 proxy, but it should allow others to write code to support
janjust> it. That's the way OpenSSL 0.9.x and 1.0.x did it: the Globus and Voms
janjust> people added their own handlers to the OpenSSL callbacks in order to
janjust> support GT2, GT3 and RFC3820 (aka GT4) proxies. With OpenSSL 1.1, some
janjust> of these handlers/callbacks seem to have been removed.
janjust>
janjust> If OpenSSL 1.1 does not allow this, then the existing grid codebase is
janjust> "stuck" with OpenSSL 1.0.x until all users start using RFC3820
janjust> proxies. Again, I support the notion that people should have started
janjust> using these back in 2008 but the reality is that we in "Grid land" are
janjust> stuck with "legacy" proxies for some time. It would be a shame if we
janjust> cannot use OpenSSL 1.1+ on the grid.

Ok,

I can't say that I quite agree, mostly because it means that
"everyone" will have to implement those same handled (I've had a look
at the globus, voms and canl code, and keep noticing copies of more or
less the exact same callback source in all of them).

But, I'm listening, and I've had some internal discussion around this.

There's already been discussions around accessor functions, and
https://github.com/openssl/openssl/pull/1294 covers quite a lot
(please have a look! I get way too few comments), and what's primarly
needed outside of that is a way to set the EXFLAG_PROXY flag on a X509*.
Correct? For function names, I'm thinking that something as easy as
X509_cache_proxy_flag(X509 *x)

Cheers,
Richard

I understand, and I think Richard will provide the hooks you need.

But this is, as you say, stuff that is eight years old....