-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Only set authority key identified field if the public key is available #113
Conversation
Hi Chris, thanks for you PR. I'll have a look in the next days. |
Thanks Francesco! For some context I ran into this issue for (LHCb)DIRAC which uses the conda-forge build of VOMS (which I maintain). Conda-forge has already dropped OpenSSL 1.1.1 from the default build matrix a couple of weeks ago as the upstream end-of-life is in less than 7 months. |
The latest official release of VOMS (2.0.16) is actually still on 1.0.2, the default on CentOS 7 :-( |
@chaen Did some more debugging for fts/fts-rest-flask!92 and came to the same conclusion as me (but with a citation to back it up):
|
Hi, |
The issue is when using a proxy rather than a certificate. The reproducer in the PR description should allow you to demonstrate the issue. With OpenSSL 1.x you should be able to reproduce it except instead of crashing it lets you put a null value in the extension:
|
Ah right, hadn't read carefully enough. The crucial point is the 2nd level proxy.
|
Would it be possible to have the end-entity certificate and the certificates of the generated proxies (only the public part), please? |
Hi Francesco, |
It seems to me that the real issue is that the proxy does not contain the |
The java version doesn't include the |
Given that this value was never correct, it certainly isn't used anywhere. Removing it altogether seems faster, easier and safer, as opposed to adding a new feature to VOMS proxies (which we are all working hard to replace with tokens :-) ). How would it affect things to remove the AKI ? |
Hi @giacomini, @msalle, have you had a chance to think about this any further? |
I personally have no strong opinion, either way is fine with me (and I'm not a VOMS maintainer). If it's simple and straightforward to add I would add it, otherwise probably safer to remove indeed. |
I'll give some thought over the next days. |
In case we go in the direction to remove the Authority Key Identifier in proxies, in practice it would mean removing the lines https://github.com/italiangrid/voms/blob/develop/src/sslutils/proxy.c#L356-L400, right? |
There is more probably if I run a |
I've checked with Vincenzo: that piece of code should be executed only if we are not managing a proxy, but that check is missing. Consider that this piece of code is used also by |
I confirm that the change in this PR also fixes the problem I addressed in #120, that of making |
And in my case the fix already in this PR is still needed because I was working with a certificate and not a proxy. So I propose merging this PR and adding another one that adds |
The alternative fix for the original problem described for this PR is in #121. |
I merge both this and #120. Thanks to all, especially for your patience. Before I tag another RC, can you give me some feedback if everything's alright? our testsuite is not yet in a good shape, so I need to rely on your field experience. |
When using
voms-proxy-init
with a proxy certificate and OpenSSL 3 I get an error:If I use a
voms-proxy-init
binary that was compiled with OpenSSL 1.1.1 the above example works.Looking deeper in to the problem I found that this line was failing with OpenSSL 3:
Inspecting the openssl error queue I found this message:
If I look at the certifictate that was generated with OpenSSL 1.1.1 I find the AKI is null so I presume OpenSSL 3 is being less permissive about this invalid state:
I think the right thing to do in this case is to just not add the AKI extension.