URL:
<http://savannah.cern.ch/support/?126060>
Summary: gsi auth plugin caches (expired) host certificate?
Project: XROOTD
Submitted by: iven
Submitted on: 2012-02-03 08:55
Category: None
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: GNU/Linux
_______________________________________________________
Details:
xrootd-server-3.0.4-0
openssl-0.9.8e-20.el5
GSI authentication failed with messages such as
120203 00:00:25 6150 XrootdXeq: User authentication failed; Secgsi:
ErrParseBuffer: certificate has expired - go and get a new one: kXGC_certreq
Nevertheless, the certificate on disk had been renewed:
[root@c2atlassrv301 ~]# grep /xrootd-server-cert.pem /etc/xrd.cf
sec.protocol gsi -crl:3
-cert:/etc/grid-security/xrootd-server/xrootd-server-cert.pem
-key:/etc/grid-security/xrootd-server/xrootd-server-key.pem
-gridmap:/etc/grid-security/grid-mapfile -d:0 -gmapopt:2
[root@c2atlassrv301 ~]# ll
/etc/grid-security/xrootd-server/xrootd-server-cert.pem
-rw-r--r-- 1 stage st 2422 Jan 30 09:37
/etc/grid-security/xrootd-server/xrootd-server-cert.pem
[root@c2atlassrv301 ~]# openssl x509 -in
/etc/grid-security/xrootd-server/xrootd-server-cert.pem -noout -enddate
notAfter=Jan 22 16:15:40 2013 GMT
However, the daemon had not been restarted afterwards:
[root@c2atlassrv301 ~]# ps axo lstart,pid,cmd | grep xroot
Tue Jan 17 11:01:03 2012 6150 /opt/xrootd/bin/xrootd -n manager -r -c
/etc/xrd.cf -l /var/log/xroot/xrdlog.manager -b -R stage
Would it be possible to stat() and re-read the host certificate+key
occasionally (of course, this should be cached for some reasonable time, i.e.
not re-read at every connection), and at least in case the certificate appears
to be expired?
Or would this be already fixed in a more recent xrootd release?
_______________________________________________________
Reply to this item at:
<http://savannah.cern.ch/support/?126060>
_______________________________________________
Message sent via/by LCG Savannah
http://savannah.cern.ch/
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|