Actually, I did use -d:3 when testing, I just didn't mention it.
With these security directives:
sec.protocol gsi -d:3 -crl:0 -ca:1
xrootd.seclib /usr/lib64/libXrdSec.so
I get this result:
[root@vm08 ~]# sudo -u xrootd xrootd -c /etc/xrootd/xrootd-clustered.cfg
120706 18:07:16 1860 Scalla is starting. . .
Copr. 2010 Stanford University, xrd version v3.2.2
++++++ xrootd [log in to unmask] initialization started.
Config using configuration file /etc/xrootd/xrootd-clustered.cfg
=====> xrd.report vm08:3333,vm08:4444 every 5m all
=====> all.adminpath /var/spool/xrootd
Config maximum number of connections restricted to 65500
Copr. 2007 Stanford University, xrootd version 2.9.7 build v3.2.2
++++++ xrootd protocol initialization started.
=====> all.export /data
=====> all.pidpath /var/run/xrootd
=====> xrootd.seclib /usr/lib64/libXrdSec.so
Config exporting /data
++++++ Authentication system initialization started.
120706 18:07:16 1860 secgsi_InitOpts: ***
------------------------------------------------------------ ***
120706 18:07:16 1860 secgsi_InitOpts: Mode: server
120706 18:07:16 1860 secgsi_InitOpts: Debug: 3
120706 18:07:16 1860 secgsi_InitOpts: CA dir: /etc/grid-security/certificates/
120706 18:07:16 1860 secgsi_InitOpts: CA verification level: 1
120706 18:07:16 1860 secgsi_InitOpts: CRL dir: /etc/grid-security/certificates/
120706 18:07:16 1860 secgsi_InitOpts: CRL extension: .r0
120706 18:07:16 1860 secgsi_InitOpts: CRL check level: 0
120706 18:07:16 1860 secgsi_InitOpts: Certificate:
/etc/grid-security/xrd/xrdcert.pem
120706 18:07:16 1860 secgsi_InitOpts: Key: /etc/grid-security/xrd/xrdkey.pem
120706 18:07:16 1860 secgsi_InitOpts: Proxy delegation option: 0
120706 18:07:16 1860 secgsi_InitOpts: GRIDmap file:
/etc/grid-security/grid-mapfile
120706 18:07:16 1860 secgsi_InitOpts: GRIDmap option: 1
120706 18:07:16 1860 secgsi_InitOpts: GRIDmap cache entries
expiration (secs): -1
120706 18:07:16 1860 secgsi_InitOpts: Client proxy availability in
XrdSecEntity.endorsement: 0
120706 18:07:16 1860 secgsi_InitOpts: VOMS option: 1
120706 18:07:16 1860 secgsi_InitOpts: MonInfo option: 0
120706 18:07:16 1860 secgsi_InitOpts: Crypto modules: ssl
120706 18:07:16 1860 secgsi_InitOpts: Ciphers: aes-128-cbc:bf-cbc:des-ede3-cbc
120706 18:07:16 1860 secgsi_InitOpts: MDigests: sha1:md5
120706 18:07:16 1860 secgsi_InitOpts: ***
------------------------------------------------------------ ***
120706 18:07:16 1860 secgsi_Init: option CACheck: 1
120706 18:07:16 1860 secgsi_Init: using CA dir(s):
/etc/grid-security/certificates/
120706 18:07:16 1860 secgsi_Init: option CRLCheck: 0 ('do-not-care';
download? no)
120706 18:07:16 1860 secgsi_Init: CRL information refreshed every 86400 secs
120706 18:07:16 1860 crypto_Factory::GetCryptoFactory: loading ssl
crypto factory object from libXrdCrypto.so
120706 18:07:16 1860 crypto_Factory::GetCryptoFactory: loading ssl
crypto factory object from libXrdCryptossl.so
120706 18:07:16 1860 sut_Rndm::GetBuffer: enter: len: 32
120706 18:07:16 1860 sut_Rndm::Init: taking seed from /dev/urandom
120706 18:07:16 1860 cryptossl_sslCipher::XrdCryptosslCipher: generate
DH full key
120706 18:07:16 1860 sut_Cache::Init: cache allocated for 100 entries
120706 18:07:16 1860 sut_Cache::Rehash: Hash table updated (found 0
active entries)
120706 18:07:16 1860 sut_Cache::Init: cache allocated for 10 entries
120706 18:07:16 1860 sut_Cache::Rehash: Hash table updated (found 0
active entries)
120706 18:07:16 1860 sut_Cache::Get: locating entry for ID: ssl
120706 18:07:16 1860 sut_Cache::Rehash: hash table is up-to-date
120706 18:07:16 1860 cryptossl_X509::XrdCryptosslX509_file:
certificate successfully loaded
120706 18:07:16 1860 cryptossl_X509::IsCA: certificate has 4 extensions
Enter PEM pass phrase:
120706 18:07:18 1860 cryptossl_X509::XrdCryptosslX509_file: RSA key completed
120706 18:07:18 1860 cryptossl_X509::Export: BIO data: 969 bytes at 0x0x1144d00
120706 18:07:18 1860 cryptossl_X509::Export: result of serialization: 969 bytes
120706 18:07:18 1860 secgsi_GetCA: Querying cache for tag:
1f83beb0.0:1 (timestamp:1341583638, refresh fq:86400)
120706 18:07:18 1860 sut_Cache::Get: locating entry for ID: 1f83beb0.0:1
120706 18:07:18 1860 sut_Cache::Rehash: hash table is up-to-date
120706 18:07:18 1860 secgsi_GetCA: trying to load CA certificate from
/etc/grid-security/certificates/1f83beb0.0
120706 18:07:18 1860 cryptossl_X509::IsCA: certificate has 4 extensions
120706 18:07:18 1860 cryptossl_X509ParseFile: certificate for
'/C=RU/ST=Moscow/O=JINR/OU=LIT/CN=TestCA'added to the chain - ord: 1
120706 18:07:18 1860 cryptossl_X509ParseFile: no RSA private key found
in file /etc/grid-security/certificates/1f83beb0.0
120706 18:07:18 1860 secgsi_GetSrvCertEnt: failed to initialized CRL
for issuing CA '1f83beb0.0'
120706 18:07:18 1860 secgsi_Init: problems loading srv cert
120706 18:07:18 1860 sut_Cache::Rehash: Hash table updated (found 0
active entries)
120706 18:07:18 1860 secgsi_ErrF: Secgsi: ErrError: no valid server
certificate found
120706 18:07:18 1860 secgsi_Init: Secgsi: ErrError: no valid server
certificate found
120706 18:07:18 1860 sec_Config: Secgsi: ErrError: no valid server
certificate found
=====> sec.protocol gsi -d:3 -crl:0 -ca:1
Config 1 authentication directives processed in /etc/xrootd/xrootd-clustered.cfg
------ Authentication system initialization failed.
120706 18:07:18 1860 XrootdConfig: Unable to create security service
object via /usr/lib64/libXrdSec.so
120706 18:07:18 1860 XrootdConfig: Unable to load security system.
------ xrootd protocol initialization failed.
120706 18:07:18 1860 XrdProtocol: Protocol xrootd could not be loaded
------ xrootd [log in to unmask]:-1 initialization failed.
2012/7/4 Gerardo Ganis <[log in to unmask]>:
>
> Hi,
>
> Thanks for reporting these issues.
> I am fixing the error reports and the obvious bug for ca:0, self-signed
> CA.
>
> However, even without these fixes, I was not able to reproduce your
> start-up failure with a self-signed CA.
> You should get some additional verbosity by adding '-d:3' in the
> 'sec.protocol' directive. Does that give any
> hint? Can you post the full log you get in such a case?
>
> G. Ganis
>
> On 6/28/12 2:35 PM, Иван Кадочников wrote:
>
> Hi all,
>
> I'm trying to use sec.protocol gsi with the server certificate signed by a
> self-signed CA for testing purposes, however I'm having trouble getting the
> server to start.
> 3.1 hanged on some operation with XrdSutCache while starting, updating to
> 3.2.2 fixed the issue.
>
> Now the server fails to start with the error "failed to initialized CRL for
> issuing CA" in XrdSecProtocolgsi::GetCA. Setting "crl:0" did not help. I did
> create an empty crl to see if it resolved it, but it seems the problem lies
> elsewhere.
>
> I looked into the source and found the following.
> In XrdSecProtocolgsi::GetCA neither "CRL is expired" nor "CRL is missing"
> messages are displayed in my case, but the return value is obviously 2
> (because the CRL error is displayed). So the variable ok = 0. That probably
> means verified = 0.
> This brings me to the first problem: shouldn't the message when CA
> verification fails be different from when CRL fails to initialize?
>
> Looking into XrdSecProtocolgsi::VerifyCA, I found another problem: if CA is
> self-signed and CACheck = 0, CA is not checked, but the variable "verified"
> is never set either and remains 0. Which means when option ca:0 is used,
> self-signed CA is rejected outright. Is it the intended behavior?
>
> I set ca:1, but nothing changed in the server output. Third problem: the
> certificate chain verification functions don't seem to produce any debugging
> output so I don't know what the actual problem with my CA certificate is.
>
> I think I'll try using a certificate from a "real" CA instead. But I wanted
> to report these possible problems so that they can be resolved in the future
> versions.
>
> Thanks.
>
> Ivan Kadochnikov
>
> ________________________________
>
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>
>
>
> --
> +--------------------------------------------------------------------------+
> Gerardo GANIS CERN, PH Dept, SFT group, CH 1211 Geneve 23
> room: 32-RC-017, tel: +41 22 7676439
> email: [log in to unmask], fax: +41 22 7669133
> +--------------------------------------------------------------------------+
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
