Print

---

@abh3 -

The offending part is that the session cache is not disabled; that is, XrdHttp is missing the following lines:

https://github.com/opensciencegrid/xrootd-lcmaps/blob/master/src/XrdHttpLcmaps.cc#L361-L365

If the session cache is used (it's use is not typically triggered by davix but it is by gfal) to start a new SSL connection, then the client certificate chain is not associated to the session upon reuse. OpenSSL does not cache the certificate chain information for you in the cache (you'd have to keep in memory the certificate chain for every connection that had been made over SSL) - that's left as an exercise to the user.

Because the session cache is used and the cert chain is not available to OpenSSL, XrdHttp ends up with this debug message when it asks for the peer chain:

200412 22:56:48 24985 eyermuth.0:[log in to unmask]  SSL_get_peer_cert_chain :0

That is, the peer chain provided by OpenSSL is a nullptr and the client cannot be mapped by the security extractor module. Accordingly, the username is set to random user-controlled gobbledy-gook:

200412 22:56:48 24985 acc_Audit: http deny  Oliver Freyermuth@[::ffff:188.184.98.75] stat /cephfs/grid/dteam/of_1M_9

instead of the DN in Oliver's case:

200412 22:56:48 24968 acc_Audit: http grant  /C=DE/O=GermanGrid/OU=UniBonn/CN=Oliver Freyermuth@[::ffff:188.184.98.75] stat /cephfs/grid/dteam/of_1M_9

Brian

(@esindril - while you're also correct about CRLs, I'm not addressing it here because it really belongs to #750...)

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1