Thursday, January 21, 2010

Changes in new version of OpenSSL

This is an informational notice only, there is no current action that is needed to be taken for OSG sites.

This is a notice that OpenSSL 1.x is changing the way they name the certificate files in the trust anchor store (the certificate files for grid middleware are usually stored in the "/etc/grid-security/certificates/" directory).

Traditionally OpenSSL was using a MD5 hash for naming the certificate files (which would look something like 9ff26ea4.0). The new version has moved to using a SHA1 hash to create the certificate names. Installing the new openSSL version on a machine would mean that openSSL will NOT find the certificates installed in the trust stores due to different naming used by IGTF distribution. In short, the authentication on the installed machine will stop working. IGTF distribution has proposed changes which will fix this issue and a new distribution will be released once these changes have been completed.

If you have other concerns related to this, please let us know. We are also investigating how other pieces of our distribution may be affected by this change.