LISTSERV 16.5 - XROOTD-DEV Archives

Hello,

we recently have changed our layout for our dCache storage element, which also affected the xrootd capabilities. As you may know, dCache has so-called "doors", that implement the support for different transfer protocols, including xrootd. That xrootd door may use a gsi plugin to enforce grid security standards for xroot transfers. With our changes however, we ran into a new issue, we avoided before by coincidence: The xrootd transfers fail with an "auth error", because the (primary) host name of the dCache xrootd door does not match the (primary) subject name in the host's certificate.

Auth protocol handler for gsi refuses to give us more credentials Secgsi: ErrParseBuffer: server certificate CN 'f01-081-126.gridka.de' does not match the expected format(s): '[/]dcachesrm-kit.gridka.de[/]' (default); exceptions are controlled by the env XrdSecGSISRVNAMES: kXGS_cert
--- snippet from xfer.log

In my opinion, this is a bug in the xrdcopy tool, since the name we used in the transfer URL is listed among the subject alternative names inside the host certificate.

$ openssl x509 -in /etc/grid-security/dcache/hostcert.pem -noout -text | grep -A 1 "Subject Alternative"
            X509v3 Subject Alternative Name:
                DNS:f01-080-118.gridka.de, DNS:dcachedcap-kit.gridka.de, DNS:dcachegridftp-kit.gridka.de, DNS:dcachesrm-kit.gridka.de, DNS:dcachewebdav-kit.gridka.de, DNS:dcachexrootd-kit.gridka.de, DNS:f01-080-118-v4.gridka.de, DNS:f01-080-118-v6.gridka.de

The error may be overruled by exporting XrdSecGSISRVNAMES="f01-080-118.gridka.de". Though that is not what we can demand from all our customers around the world ("Please ignore the security issues and simply trust our servers." 😉 ).

At first I blamed the plugin in dCache for this, but one of the developers from dCache.org told me, that they do not interfer with that. That is, they provide the host certificate as is to the client and it should extract the information that it is interested in - maybe you can find evidence for that in the attached log file of the transfer.

Lastly I want to mention that we're currently working with version 4.8.4 of xrdcopy and removing the gsi plugin from the dCache door will make the error go away, too (which means, that xroot transfers can happen without it).

I was unable to find similar complaints among the issues here on GitHub or the mail archive at xrootd.org. In case you need more information, I'd gladly provide it to you.

Best regards,
Xavier Mol.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"xrdcopy ignores subject alternative names from the x509 host certificate (#841)"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/841"}}} [ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/841", "url": "https://github.com/xrootd/xrootd/issues/841", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } }, { "@type": "MessageCard", "@context": "http://schema.org/extensions", "hideOriginalBody": "false", "originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB", "title": "xrdcopy ignores subject alternative names from the x509 host certificate (#841)", "sections": [ { "text": "", "activityTitle": "**Xavier Mol**", "activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png", "activitySubtitle": "@XMol", "facts": [ { "name": "Repository: ", "value": "xrootd/xrootd" }, { "name": "Issue #: ", "value": 841 } ] } ], "potentialAction": [ { "name": "Add a comment", "@type": "ActionCard", "inputs": [ { "isMultiLine": true, "@type": "TextInput", "id": "IssueComment", "isRequired": false } ], "actions": [ { "name": "Comment", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 841,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}" } ] }, { "name": "Close issue", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueClose\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 841\n}" }, { "targets": [ { "os": "default", "uri": "https://github.com/xrootd/xrootd/issues/841" } ], "@type": "OpenUri", "name": "View on GitHub" }, { "name": "Unsubscribe", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 393853216\n}" } ], "themeColor": "26292E" } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1