OpenSSL 1.0.0 Change Impacts Grid Security Infrastructure

Post date: Apr 8, 2010 11:29:00 PM

Globus Toolkit 5.0.1 and later are compatible with the recently released OpenSSL 1.0.0. However, an interface change in OpenSSL 1.0.0 impacts the Globus Toolkit Grid Security Infrastructure (GSI). Specifically, OpenSSL 1.0.0 changes the hash format used for naming certificate directory files (CA certificates and CRLs). OpenSSL 1.0.0 and later will locate certificate directory files using the new hash values, while older OpenSSL versions will locate certificate directory files using the old hash values. If the Globus Toolkit components that use OpenSSL can not locate the certificate directory files, GSI authentication will fail. We've created a web page to document OpenSSL 1.0.0 compatibility information at http://www.cilogon.org/openssl1. It includes links to tools for updating certificate directory file hashes, documents details of how components like MyProxy and Simple CA are impacted, and lists error messages and explanations. If you have any suggestions for improving this page, please let us know!