Print

---

@abh3 requested changes on this pull request.

Except for the version check, it looks good.

In src/XrdHttp/XrdHttpProtocol.cc:

> @@ -633,6 +635,19 @@ int XrdHttpProtocol::Process(XrdLink *lp) // We ignore the argument here
           sbio = CreateBIO(Link);
           BIO_set_nbio(sbio, 1);
           ssl = SSL_new(sslctx);
+
+          // On newer versions of OpenSSL, we use the periodically
+          // updated store `verify_store` with the `x509_store_lock`
+          // held; older OpenSSL versions are missing `SSL_set1_*_cert_store`,
+          // so we simply rely on the global one in SSL_CTX.  The latter
+          // doesn't refresh the verify store, which causes issues with some
+          // plugins.
+#if OPENSSL_VERSION_NUMBER >= 0x010100000L

Not so fast, the test should be '>' not '>=' because OpenSSL 1.01 does not have the set1 functions. I know from your comment that you did compile it on SL6 but that only worked because someone must have upgraded their OpenSSL (which of course they should have). Unfortunately, lots of sites use RH6 out of the box and it comes with 1.0.1e-fips and it definitely won't compile! I think all of teh test should change and hen you'll be fine.

In src/XrdHttp/XrdHttpProtocol.cc:

> @@ -1767,6 +1833,20 @@ int XrdHttpProtocol::InitSecurity() {
     }
   }
 
+  // Initialize a store for use on individual SSL objects and schedule
+  // a periodic update.  These separate stores are only usable on versions
+  // of OpenSSL 1.1.0 or later.
+#if OPENSSL_VERSION_NUMBER >= 0x010100000L

Same here.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1