diff -ur globus_gssapi_gsi-4.9.orig/library/globus_i_gsi_gss_utils.c globus_gssapi_gsi-4.9/library/globus_i_gsi_gss_utils.c --- globus_gssapi_gsi-4.9.orig/library/globus_i_gsi_gss_utils.c 2005-05-04 02:19:37.000000000 +0200 +++ globus_gssapi_gsi-4.9/library/globus_i_gsi_gss_utils.c 2006-11-21 23:52:15.000000000 +0100 @@ -15,11 +15,11 @@ * @author Sam Lang, Sam Meder * * $RCSfile: globus_i_gsi_gss_utils.c,v $ - * $Revision: 1.38.4.1 $ - * $Date: 2005/05/04 00:19:37 $ + * $Revision: 1.38.4.1.4.2 $ + * $Date: 2006/11/07 00:37:47 $ */ -static char *rcsid = "$Id: globus_i_gsi_gss_utils.c,v 1.38.4.1 2005/05/04 00:19:37 meder Exp $"; +static char *rcsid = "$Id: globus_i_gsi_gss_utils.c,v 1.38.4.1.4.2 2006/11/07 00:37:47 kettimut Exp $"; #include "gssapi_openssl.h" #include "globus_i_gsi_gss_utils.h" @@ -2075,6 +2075,13 @@ goto exit; } + /* + * post-0.9.8 versions of the SSL library seem to move part of the + * cipher setup code into SSL_library_init(). Without this call, the + * SSL_CTX_new routine comaplains at not being able to initialize the + * list of ciphers. + */ + SSL_library_init(); cred_handle->ssl_context = SSL_CTX_new(SSLv23_method()); if(cred_handle->ssl_context == NULL) { @@ -2132,8 +2139,20 @@ */ SSL_CTX_set_purpose(cred_handle->ssl_context, X509_PURPOSE_ANY); + /* + * post OpenSSL-0.9.8, existence of this call creates problem when + * the server (for eg. GridFTP server) is run as a user and thus the + * cert presented is proxy cert. As the OpenSSL code does not + * recognize Globus legacy proxies, we need to explicitly set the + * proxy flag in the cert and we do it only when our callback is + * called by OpenSSL with the critical extension error, so this call + * is removed for post OpenSSL-0.9.8. + */ + + #if (OPENSSL_VERSION_NUMBER < 0x0090707fL) X509_STORE_set_flags(SSL_CTX_get_cert_store(cred_handle->ssl_context), X509_V_FLAG_IGNORE_CRITICAL); + #endif if(anon_ctx != GLOBUS_I_GSI_GSS_ANON_CONTEXT) {