 |
 |
I am working on adding support for the GSI authentication in a pure-Go client (https://github.com/go-hep/hep/issues/250). According to [gsi-msg-specs, p.3](https://github.com/go-hep/hep/files/2089932/gsi-msg-specs.pdf): `the context establishment phase is nothing more than normal SSLv3 handshake messages being exchanged`. I was using [RFC6101, p. 25](https://tools.ietf.org/html/rfc6101#page-25) as a specification of SSLv3 handshake messages. I have got TCP dump of xrootd authentication process ([gist](https://gist.github.com/EgorMatirov/8df311ad7adfba7556176d4adfbc8434)): - the first message is a client `auth` request, - the second message is a server `auth_more` response, - the third message is `auth` request again, following with `ok` response (not included in the dump, since it contains only `ok` status). However, the problem is that the payload of `auth` request doesn't look like SSLv3 `ClientHello` to me. Also, the server response, which should be `ServerHello` following by `ServerCertificate` should contain ASN.1 encoded cert (you can see an example and decoding [here](http://www.lapo.it/asn1js/)). But what is present looks more like the plain content of the server's `crt` file. The content between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` matches the certificate body. Could someone please explain an implementation of GSI authentication in XRootD in a bit more detail? Am I missing something? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/757 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1