[Pkg-openssl-devel] Bug#829272: [openssl.org #4602] Missing accessors
Mattias Ellert
mattias.ellert at physics.uu.se
Thu Jul 21 08:18:18 UTC 2016
ons 2016-07-20 klockan 15:14 +0000 skrev Richard Levitte via RT:
> On Mon Jul 11 11:34:35 2016, mattias.ellert at physics.uu.se wrote:
> >
> > I guess having a more restrictive accessor that only sets the
> > EXFLAG_PROXY bit could work. I suggested the more general solution of
> > having set/clear accessors for arbitrary flags since it was - well
> > more
> > general.
>
> So let me ask this in a different manner, does OpenSSL 1.1 still not set the
> EXFLAG_PROXY flag correctly? In what situations does that happen? That may be
> worth a bug report of its own.
>
> --
> Richard Levitte
> levitte at openssl.org
>
The answer to this is related to Mischa's reply, which unfortunately
was only sent to the Debian BTS and not the the OpenSSL RT. I quote it
below. As indicated in the answer, setting the EXFLAG_PROXY allows
handling non-RFC proxies in OpenSSL.
mån 2016-07-11 klockan 14:53 +0200 skrev Mischa Salle:
> Hi Richard, Mattias, others,
>
> I agree with you that it would be nice if OpenSSL could figure out
> itself whether a cert needs to be treated as a proxy, but currently that
> doesn't work reliably as far as I know.
> The flag is certainly needed in the case of non-RFC3820 proxies, also
> known as legacy proxies. Unfortunately these are still very widely used
> (majority of the proxies actually) and hence our code must be able to
> handle them correctly.
>
> Best wishes,
> Mischa Sallé
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5032 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20160721/f5f148eb/attachment.bin>
More information about the Pkg-openssl-devel
mailing list