LISTSERV 16.5 - XROOTD-DEV Archives

URL:
  <http://savannah.cern.ch/support/?126060>

                 Summary: gsi auth plugin caches (expired) host certificate?
                 Project: XROOTD
            Submitted by: iven
            Submitted on: 2012-02-03 08:55
                Category: None
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: GNU/Linux

    _______________________________________________________

Details:

xrootd-server-3.0.4-0
openssl-0.9.8e-20.el5

GSI authentication failed with messages such as

120203 00:00:25 6150 XrootdXeq: User authentication failed; Secgsi:
ErrParseBuffer: certificate has expired - go and get a new one: kXGC_certreq

Nevertheless, the certificate on disk had been renewed:

[root@c2atlassrv301 ~]# grep /xrootd-server-cert.pem /etc/xrd.cf
sec.protocol gsi -crl:3
-cert:/etc/grid-security/xrootd-server/xrootd-server-cert.pem
-key:/etc/grid-security/xrootd-server/xrootd-server-key.pem
-gridmap:/etc/grid-security/grid-mapfile -d:0 -gmapopt:2

[root@c2atlassrv301 ~]# ll
/etc/grid-security/xrootd-server/xrootd-server-cert.pem
-rw-r--r-- 1 stage st 2422 Jan 30 09:37
/etc/grid-security/xrootd-server/xrootd-server-cert.pem


[root@c2atlassrv301 ~]# openssl x509 -in
/etc/grid-security/xrootd-server/xrootd-server-cert.pem -noout -enddate
notAfter=Jan 22 16:15:40 2013 GMT

However, the daemon had not been restarted afterwards:

[root@c2atlassrv301 ~]# ps axo lstart,pid,cmd | grep xroot
Tue Jan 17 11:01:03 2012  6150 /opt/xrootd/bin/xrootd -n manager -r -c
/etc/xrd.cf -l /var/log/xroot/xrdlog.manager -b -R stage


Would it be possible to stat() and re-read the host certificate+key
occasionally (of course, this should be cached for some reasonable time, i.e.
not re-read at every connection), and at least in case the certificate appears
to be expired?

Or would this be already fixed in a more recent xrootd release?





    _______________________________________________________

Reply to this item at:

  <http://savannah.cern.ch/support/?126060>

_______________________________________________
  Message sent via/by LCG Savannah
  http://savannah.cern.ch/

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1