LISTSERV 16.5 - XROOTD-DEV Archives

Hi Brian, Gerri, Andy,

I went through the "Endpoint Identification" section of RFC 2818. Will the following works?

1. By default require that a subjectAltName be presented in server's host certificate.  subjectAltName includes DNS aliases, IP addresses, wildcard. 
2. Print a warning and terminate if not matching is found between name/IP in client URI and hostname/subjectAltName.
3. Provide a switch for client to overrule the matching checks.

I think 
1) is there
2) is almost there but only exist in debugging level 2 (in xrdcp). The warning is needed even without using the debugging option, and needed by all clients, not just from xrdcp (so better in XrdCl)
3) We current have a switch XrdSecGSITRUSTDNS. It is an environment variable. We can reuse use it to both 3) and suppress the warning message in 2). This help automated clients (like Xcache, XrootdFS, xrdcp in TPC). For xrdcp, we can also provide an command line option to set this environment.

Comments?

regards,
--
Wei Yang  |  [log in to unmask]  |  650-926-3338(O)

?-----Original Message-----
From: <[log in to unmask]> on behalf of Brian P Bockelman <[log in to unmask]>
Reply-To: xrootd/xrootd <[log in to unmask]>
Date: Thursday, October 18, 2018 at 3:24 PM
To: xrootd/xrootd <[log in to unmask]>
Cc: xrootd-dev <[log in to unmask]>, Comment <[log in to unmask]>
Subject: Re: [xrootd/xrootd] xrdcopy ignores subject alternative names from the x509 host certificate  (#841)

    There¹s not really any HEP context here. RFC 2818 defines the matching logic for HTTP over TLS.
    Globus basically copied that approach verbatim for GridFTP. Here¹s a security bulletin they put together:
    https://docs.globus.org/security-bulletins/2015-12-strict-mode/
    ‹
    You are receiving this because you commented.
    Reply to this email directly, 
    view it on GitHub <https://github.com/xrootd/xrootd/issues/841#issuecomment-431184601>, or 
    mute the thread <https://github.com/notifications/unsubscribe-auth/AD7YjnRLlIu1yhHBuNa-M9USrlZGaIbFks5umP-jgaJpZM4Xebkg>.
    {"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@bbockelm in #841: There¹s not really any HEP context here. RFC 2818 defines the matching logic for HTTP over TLS.\r\n\r\nGlobus basically copied that approach verbatim for GridFTP.  Here¹s a security bulletin they put together:\r\n\r\nhttps://docs.globus.org/security-bulletins/2015-12-strict-mode/"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/841#issuecomment-431184601"}}}[
    {
    "@context": "http://schema.org",
    "@type": "EmailMessage",
    "potentialAction": {
    "@type": "ViewAction",
    "target": "https://github.com/xrootd/xrootd/issues/841#issuecomment-431184601",
    "url": "https://github.com/xrootd/xrootd/issues/841#issuecomment-431184601",
    "name": "View Issue"
    },
    "description": "View this Issue on GitHub",
    "publisher": {
    "@type": "Organization",
    "name": "GitHub",
    "url": "https://github.com"
    }
    },
    {
    "@type": "MessageCard",
    "@context": "http://schema.org/extensions",
    "hideOriginalBody": "false",
    "originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB",
    "title": "Re: [xrootd/xrootd] xrdcopy ignores subject alternative names from the x509 host certificate  (#841)",
    "sections": [
    {
    "text": "",
    "activityTitle": "**Brian P Bockelman**",
    "activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png",
    "activitySubtitle": "@bbockelm",
    "facts": [
    
    ]
    }
    ],
    "potentialAction": [
    {
    "name": "Add a comment",
    "@type": "ActionCard",
    "inputs": [
    {
    "isMultiLine": true,
    "@type": "TextInput",
    "id": "IssueComment",
    "isRequired": false
    }
    ],
    "actions": [
    {
    "name": "Comment",
    "@type": "HttpPOST",
    "target": "https://api.github.com",
    "body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 841,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}"
    }
    ]
    },
    {
    "targets": [
    {
    "os": "default",
    "uri": "https://github.com/xrootd/xrootd/issues/841#issuecomment-431184601"
    }
    ],
    "@type": "OpenUri",
    "name": "View on GitHub"
    },
    {
    "name": "Unsubscribe",
    "@type": "HttpPOST",
    "target": "https://api.github.com",
    "body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 393853216\n}"
    }
    ],
    "themeColor": "26292E"
    }
    ]
    ________________________________________
    Use REPLY-ALL to reply to list
    To unsubscribe from the XROOTD-DEV list, click the following link:
    https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
    

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1