Hi,

in my xrootd-dataserver v4.11.3, I have an inconsistent handling of x509 authentication.

The inconsistency is, that the first three xrdcp attempt are handled successfully (see [1]), while the following attempts get a failed authentication (see [2]).

In addition, once there has not been a request in a while, three attempts are again able to pass successfully. The service was not restarted.
This was reproduced multiple times with xrootd v4.11.3.

[1] This is the log in a successful authentication case:

200514 16:00:52 15437 secgsi_Authenticate: VOMS: Entity.endorsements: /escape/Role=NULL/Capability=NULL,/escape/fair/Role=NULL/Capability=NULL
INFO in AuthzKey: Returning '/C=DE/O=GermanGrid/OU=GSI/CN=Paul-Niklas Kramp::escape:/escape,/escape/fair,::' of length 78 as key.
200514 16:00:52 15437 pkramp.15543:40@dclxwp2dlds1 XrootdResponse: 0000 sending OK

[2] And this if it fails:

200514 16:01:00 15413 secgsi_Authenticate: VOMS: Entity.endorsements: /escape/Role=NULL/Capability=NULL,/escape/fair/Role=NULL/Capability=NULL
Failed to validate credentials.
Globus error: globus_credential: Error verifying credential: Failed to verify credential
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Invalid CRL: Couldn't verify that the available CRL is valid
OpenSSL Error: pem_lib.c:707: in library: PEM routines, function PEM_read_bio: no start line Expecting: ANY PRIVATE KEY

Globus chain verification failure.
ERROR in AuthzKey: Key verification failed.
200514 16:01:00 15413 secgsi_Authenticate: ERROR: unable to get the key associated to this user

The part of the config, tested with crl:0 and crl:1:

xrootd.seclib /usr/lib64/libXrdSec-4.so
sec.protocol /usr/lib64 gsi \
   -certdir:/etc/grid-security/certificates/ \
   -cert:/etc/grid-security/xrd//cert_31408_dclxwp2dlds1.gsi.de.pem \
   -key:/etc/grid-security/xrd//privKey_31408_dclxwp2dlds1.gsi.de.pem \
   -crl:1 \
   -authzfun:libXrdLcmaps.so \
   -authzfunparms:lcmapscfg=/etc/lcmaps.db,loglevel=5,policy=authorize_only  \
   -gmapopt:10 \
   -gmapto:0

acc.authdb /etc/xrootd/auth_file
ofs.authorize

I wonder why I get a crl related error, with the config options 0 or 1.
Any ideas why it is behaving inconsistent?

Cheers,
Paul

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1197", "url": "https://github.com/xrootd/xrootd/issues/1197", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1