[[EMAIL PROTECTED] - Thu Jun 6 08:55:05 2002]:
> On Wed, Jun 05, 2002 at 03:10:58PM +0200, Lutz Jaenicke via RT wrote:
> >
> > [[EMAIL PROTECTED] - Wed Jun 5 14:48:52 2002]:
> >
> > > ck_ssl.c: In function �k_tn_tls_negotiate':
> > > ck_ssl.c:3232: �ID_uniqueIdentifier' undeclared (first use in this
> > > function)
> > > ck_ssl.c:3232: (Each undeclared identifier is reported only once
> > > ck_ssl.c:3232: for each function it appears in.)
> > > ck_ssl.c: In function �k_ssl_incoming':
> > > ck_ssl.c:3529: �ID_uniqueIdentifier' undeclared (first use in this
> > > function)
> > > *** Error code 1
>
> Thank you for a reply.
> >
> > The problem is caused by inconsistent definitions for the OID
> values.
> > According to RFC2256, the OID 2.5.4.45 is assigned to
> > X500UniqueIdentifier. UniqueIdentifier was assigned to
> > pilotAttributeType.44 in RFC1274.
> > If you have a look into crypto/objects/objects.txt you will see,
> that
> > this was (still is) commented out. The reason is that
> UniqueIdentifier
> > was (incorrectly) used for 2.5.4.45...
> > In OpenSSL 0.9.7 I renamed the entry for 2.5.4.45 to fully comply
> with
> > RFC2256. Now UniqueIdentifier is missing, as I did not uncomment the
> > entry for RFC1274 (otherwise maybe nobody would have noted and only
> > later strange failures would have been reported).
> I see.
>
> Let's discuss how to fix it!?
>
> For instance, mod_ssl 2.8.8-1.3.24 use workaround:
> #ifndef NID_uniqueIdentifier
> #define NID_uniqueIdentifier 102
> #endif
I don't like this option. As it is now, the new (correct)
NID_uniqueIdentifier is not yet enabled. Once it is, this mechanism will
fail.
> ######
> ######
> ######
>
> Also, markus@ created this temp patch:
> +@@ -102,6 +104,13 @@
> + !ERROR This module requires OpenSSL 0.9.5a or higher
> + #endif /* OPENSSL_VERSION_NUMBER */
> + #endif /* SSLDLL */
> ++
> ++#if OPENSSL_VERSION_NUMBER < 0x00907000L
> ++#else
> ++ #ifndef NID_UniqueIdentifier
> ++ #define NID_uniqueIdentifier NID_x500UniqueIdentifier
> ++ #endif
> ++#endif
> +
> + static int auth_ssl_valid = 0;
> + static char *auth_ssl_name = 0; /* this holds the oneline name */
That looks better, but not finally good enough. I think that the correct
solution would be something like:
* Replace all occurences of NID_UniqueIdentifier with
ID_X500UniqueIdentifier.
* Then:
#if OPENSSL_VERSION_NUMBER < 0x00907000L
#define NID_X500UniqueIdentifier NID_UniqueIdentifier
#endif
Of course, this will still break compatibility with application not
especially prepared.
Best regards,
Lutz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
