Test condotto con sue semplici programmi che chiamano entrambi la globus_gss_assist_acquire_cred per caricare il certificato da usare per la comunicazione. Il [[GlobusGssAssistTestServerCode][server]] chiama la globus_gss_assist_accept_sec_context mentre il [[GlobusGssAssistTestClientCode][client]] chiama la globus_gss_init_sec_context. La condizione di errore e' verificata usando GSS_ERROR(major) sul valore di ritorno della chiamata. ---+++ globus_gss_assist_acquire_cred Gli unici due casi in questa chiamata fallisce sono se non riesce a trovare il certificato da usare o se lo trova ma e' scaduto. Non viene riportato un messaggio di errore nel caso che sia la CA ad avere dei problemi. ---++++ il certificato non viene trovato <verbatim> GSS Major Status: General failure GSS Minor Status Error Chain: globus_gsi_gssapi: Error with GSI credential globus_gsi_gssapi: Error with gss credential handle globus_credential: Valid credentials could not be found in any of the possible locations specified by the credential search order. Valid credentials could not be found in any of the possible locations specified by the credential search order. Attempt 1 globus_credential: Error reading host credential globus_sysconfig: Error with certificate filename globus_sysconfig: Error with certificate filename globus_sysconfig: File is not owned by current user: /etc/grid-security/hostcert.pem is not owned by current user Attempt 2 globus_credential: Error reading proxy credential globus_sysconfig: Could not find a valid proxy certificate file location globus_sysconfig: Error with key filename globus_sysconfig: File does not exist: /tmp/x509up_u501 is not a valid file Attempt 3 globus_credential: Error reading user credential globus_credential: Key is password protected: GSI does not currently support password protected private keys. OpenSSL Error: pem_lib.c:401: in library: PEM routines, function PEM_do_header: bad password read </verbatim> Questo test mostra anche come la globus_gss_assist_acquire_cred cerca il certificato, prima in /etc/grid-security/hostcert.pem, poi in /tmp/x509up_u<uid>, poi in $HOME/.globus/usercert.pem (verosimilmente, il path non e' mostrato). Le ultime due location possono essere cambiate usando le variabili X509_USER_PROXY ed X509_USER_CERT. ---++++ il certificato trovato e' scaduto <verbatim> GSS Major Status: General failure GSS Minor Status Error Chain: globus_gsi_gssapi: Error with GSI credential globus_gsi_gssapi: Error with gss credential handle globus_credential: Error with credential: The proxy credential: /tmp/x509up_u501 with subject: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Valerio Venturi/emailAddress=valerio.venturi@cnaf.infn.it/CN=proxy expired 0 minutes ago. </verbatim> ---+++ globus_gss_assist_{init, accept}_sec_context ---++++ la CA non e' trusted (il certificato della CA non e' in ${X509_CERT_DIR:-/etc/grid-security}) I messaggi di errore non sono simmetrici (sembra un bug della globus_gss_assist_accept_sec_context) Nel caso in cui sia il server ad usare un certificato firmato da una CA non trusted dal client il server riporta l'inutile messaggio <verbatim> Failed to establish security context : GSS Major Status: Some Other GSS failure GSS Minor Status Error Chain: (null)valerio@datatag6 gsi $ </verbatim> corrispondente alla coppia minor, major (0, 17367040) mentre il client riporta il chiaro messaggio <verbatim> Failed to establish security context : GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization OpenSSL Error: s3_clnt.c:842: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Can't get the local trusted CA certificate: Cannot find issuer certificate for local credential with subject: /C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=expired server </verbatim> corrispondente a (16, 655360) Nel caso in cui sia il client ad usare un certificato firmato da una CA non trusted dal client allora il server riporta il chiaro messaggio <verbatim> GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gsi_gssapi: SSLv3 handshake problems OpenSSL Error: s3_srvr.c:2010: in library: SSL routines, function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Can't get the local trusted CA certificate: Cannot find issuer certificate for local credential with subject: /C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=expired client </verbatim> corrispondente a (15, 655360) mentre il client riporta un messaggoi abbastanza oscuro <verbatim> Failed to establish security context : GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization globus_gsi_gssapi: Unable to verify remote side's credentials globus_gsi_gssapi: Unable to verify remote side's credentials: Couldn't verify the remote certificate OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function SSL3_READ_BYTES: sslv3 alert bad certificate SSL alert number 42 </verbatim> corrispondente a (13, 655360) ---++++ il certificato della CA e' scaduto Anche in questo caso i messaggi non sono simmetrici. Nel caso in cui sia il server ad usare un certificato firmato da una CA il cui certificato sia scaduto il server riporta l'inutile messaggio <verbatim> Failed to establish security context : GSS Major Status: Some Other GSS failure GSS Minor Status Error Chain: (null)valerio@datatag6 gsi $ </verbatim> ed il client riporta il chiaro messaggio <verbatim> Failed to establish security context : GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization OpenSSL Error: s3_clnt.c:842: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: The certificate has expired: Credential with subject: /C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the expired CA has expired. </verbatim> Nel caso in cui sia il client ad usare un certificato firmato da una CA il cui certificato sia scaduto il server riporta il chiaro messaggio <verbatim> Failed to establish security context : GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gsi_gssapi: SSLv3 handshake problems OpenSSL Error: s3_srvr.c:2010: in library: SSL routines, function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: The certificate has expired: Credential with subject: /C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the expired CA has expired. </verbatim> ed il client riporta l'abbastanza oscuro messaggio <verbatim> GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization globus_gsi_gssapi: Unable to verify remote side's credentials globus_gsi_gssapi: SSLv3 handshake problems: Couldn't do ssl handshake OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function SSL3_READ_BYTES: sslv3 alert certificate expired SSL alert number 45 </verbatim> ---++++ le CRL della CA sono scadute Nel caso in cui sia il client ad avere CRL scadute per la CA che ha rilasciato il certificato del server viene indicato chiaramente il problema <verbatim> Failed to establish security context : GSS Major Status: Authentication Failed GSS Minor Status Error Chain: init.c:264: globus_gss_assist_init_sec_context: Error during context initialization init_sec_context.c:187: gss_init_sec_context: Unable to verify remote side's credentials globus_i_gsi_gss_utils.c:898: globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl handshake OpenSSL Error: s3_clnt.c:836: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback.c:349: globus_i_gsi_callback_handshake_callback: Could not verify credential globus_gsi_callback.c:466: globus_i_gsi_callback_proxy_verify: Could not verify credential globus_gsi_callback.c:717: globus_i_gsi_callback_check_revoked: Invalid CRL: The available CRL has expired </verbatim> ed il server riporta soltanto un messaggio di read failure <verbatim> Failed reading length 0 Failed to establish security context : globus_gss_assist token :3: read failure: Connection closed </verbatim>
This topic: VOMS
>
InternalDiscussion
>
VomsOpenBugs
>
GlobusGssAssistTest
Topic revision: r3 - 2006-09-05 - ValerioVenturi
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback