Test condotto con sue semplici programmi che chiamano entrambi la globus_gss_assist_acquire_cred per caricare il certificato da usare per la comunicazione. Il server chiama la globus_gss_assist_accept_sec_context mentre il client chiama la globus_gss_init_sec_context. La condizione di errore e' verificata usando GSS_ERROR(major) sul valore di ritorno della chiamata.

globus_gss_assist_acquire_cred

Gli unici due casi in questa chiamata fallisce sono se non riesce a trovare il certificato da usare o se lo trova ma e' scaduto. Non viene riportato un messaggio di errore nel caso che sia la CA ad avere dei problemi.

il certificato non viene trovato

GSS Major Status: General failure
GSS Minor Status Error Chain:
globus_gsi_gssapi: Error with GSI credential
globus_gsi_gssapi: Error with gss credential handle
globus_credential: Valid credentials could not be found in any of the possible locations specified by the credential search order.
Valid credentials could not be found in any of the possible locations specified by the credential search order.

Attempt 1

globus_credential: Error reading host credential
globus_sysconfig: Error with certificate filename
globus_sysconfig: Error with certificate filename
globus_sysconfig: File is not owned by current user: /etc/grid-security/hostcert.pem is not owned by current user

Attempt 2

globus_credential: Error reading proxy credential
globus_sysconfig: Could not find a valid proxy certificate file location
globus_sysconfig: Error with key filename
globus_sysconfig: File does not exist: /tmp/x509up_u501 is not a valid file

Attempt 3

globus_credential: Error reading user credential
globus_credential: Key is password protected: GSI does not currently support password protected private keys.
OpenSSL Error: pem_lib.c:401: in library: PEM routines, function PEM_do_header: bad password read

Questo test mostra anche come la globus_gss_assist_acquire_cred cerca il certificato, prima in /etc/grid-security/hostcert.pem, poi in /tmp/x509up_u, poi in $HOME/.globus/usercert.pem (verosimilmente, il path non e' mostrato). Le ultime due location possono essere cambiate usando le variabili X509_USER_PROXY ed X509_USER_CERT.

il certificato trovato e' scaduto

GSS Major Status: General failure
GSS Minor Status Error Chain:
globus_gsi_gssapi: Error with GSI credential
globus_gsi_gssapi: Error with gss credential handle
globus_credential: Error with credential: The proxy credential: /tmp/x509up_u501
      with subject: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Valerio Venturi/emailAddress=valerio.venturi@cnaf.infn.it/CN=proxy
      expired 0 minutes ago.

globus_gss_assist_{init, accept}_sec_context

la CA non e' trusted (il certificato della CA non e' in ${X509_CERT_DIR:-/etc/grid-security})

I messaggi di errore non sono simmetrici (sembra un bug della globus_gss_assist_accept_sec_context)

Nel caso in cui sia il server ad usare un certificato firmato da una CA non trusted dal client il server riporta l'inutile messaggio

Failed to establish security context :
GSS Major Status: Some Other GSS failure
GSS Minor Status Error Chain:
(null)valerio@datatag6 gsi $
corrispondente alla coppia minor, major (0, 17367040)

mentre il client riporta il chiaro messaggio

Failed to establish security context :
GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
globus_gss_assist: Error during context initialization
OpenSSL Error: s3_clnt.c:842: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Can't get the local trusted CA certificate: Cannot find issuer certificate for local credential with subject: /C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=expired server

corrispondente a (16, 655360)

Nel caso in cui sia il client ad usare un certificato firmato da una CA non trusted dal client allora il server riporta il chiaro messaggio

GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
globus_gsi_gssapi: SSLv3 handshake problems
OpenSSL Error: s3_srvr.c:2010: in library: SSL routines, function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Can't get the local trusted CA certificate: Cannot find issuer certificate for local credential with subject: /C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=expired client

corrispondente a (15, 655360)

mentre il client riporta un messaggoi abbastanza oscuro

Failed to establish security context :
GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
globus_gss_assist: Error during context initialization
globus_gsi_gssapi: Unable to verify remote side's credentials
globus_gsi_gssapi: Unable to verify remote side's credentials: Couldn't verify the remote certificate
OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function SSL3_READ_BYTES: sslv3 alert bad certificate SSL alert number 42
corrispondente a (13, 655360)

il certificato della CA e' scaduto

Anche in questo caso i messaggi non sono simmetrici.

Nel caso in cui sia il server ad usare un certificato firmato da una CA il cui certificato sia scaduto il server riporta l'inutile messaggio

Failed to establish security context :
GSS Major Status: Some Other GSS failure
GSS Minor Status Error Chain:
(null)valerio@datatag6 gsi $

ed il client riporta il chiaro messaggio

Failed to establish security context :
GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
globus_gss_assist: Error during context initialization
OpenSSL Error: s3_clnt.c:842: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: The certificate has expired: Credential with subject: /C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the expired CA has expired.

Nel caso in cui sia il client ad usare un certificato firmato da una CA il cui certificato sia scaduto il server riporta il chiaro messaggio

Failed to establish security context :
GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
globus_gsi_gssapi: SSLv3 handshake problems
OpenSSL Error: s3_srvr.c:2010: in library: SSL routines, function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: The certificate has expired: Credential with subject: /C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=the expired CA has expired.

ed il client riporta l'abbastanza oscuro messaggio

GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
globus_gss_assist: Error during context initialization
globus_gsi_gssapi: Unable to verify remote side's credentials
globus_gsi_gssapi: SSLv3 handshake problems: Couldn't do ssl handshake
OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function SSL3_READ_BYTES: sslv3 alert certificate expired SSL alert number 45

le CRL della CA sono scadute

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | More topic actions...
Topic revision: r1 - 2006-07-12 - ValerioVenturi
 
Edit Attach

TWIKI.NET
This site is powered by the TWiki collaboration platformCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback