On 28/11/2017 16:55, John Kewley wrote:
> Jens has mentioned in a TB-SUPPORT post that the old (openssl 0.9.X) hash is different for the sha1-signed and sha2-signed 2B certs (this was a vagary of the old hashing mechanism).
> The new (openssl 1.Y.Z) version is the same for both 2B certs [I haven't checked, but I recall discussing a similar issue in the past with DG for another cert].
>
> Might the SL6 certs be using some "old" openssl code in such a manner - or is it just that some of the m/w doesn't like mismatched ICAs when authenticating?
It is not the issue, though. Checked both subject hash and issuer hash
and they match exactly. (I had checked those before release as well.)
In fact not only are the hashes the same, it turns out the ASN.1
encodings are the same for both issuer and subject, so there is no
excuse for even ancient code to generate different hashes.
Which is good because I did in fact check the hashes before releasing
the certificate. And I checked they validate each other's signatures.
I think the most plausible explanation at this point is VOMS et al doing
something non-standard. Unfortunately we can't really test for all of
that ourselves because (a) there is too much weird code out there, it's
not like in the olden days where you could have a grid running in what
we would now call a virtual environment, and (b) we haven't the effort.
Unfortunately, it has to be done - as support for SHA1 signatures is
being withdrawn, we must publish a SHA2-signed certificate.
|