LISTSERV 16.5 - XROOTD-DEV Archives

Hi,

We noticed that proxies issued by xrdgsiproxy weren't authenticating with jGlobus.
The problem is that the Issuer has the X509 Key Usage extension as critical, but the proxy itself doesn't.

From openssl x509 -noout -text on the issuer:

        X509v3 extensions:
        [ ... ]
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment

but the proxy lacks it:

        X509v3 extensions:
            1.3.6.1.4.1.3536.1.222: critical
                0.0

Proxies generated with GTK's grid-proxy-init have the extension.

Here's the relevant JGlobus line that checks this:
https://github.com/jglobus/JGlobus/blob/master/ssl-proxies/src/main/java/org/globus/gsi/trustmanager/X509ProxyCertPathValidator.java#L550

---
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/114

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1