LISTSERV 16.5 - XROOTD-DEV Archives

Because of security fixes made to it, we (dCache) have decided to move to a more recent version of the Java Bouncy Castle security library (1.67). We are not back-porting this update (for the moment), but have only applied it to our master branch.

With it, we have experienced the following issue.

When our TPC client attempts to communicate with an xrootd server source endpoint, we get this error:

Remote endpoint sent: P = 250300537505961931441816061639185717883, G = 5, L = 0,
15 Nov 2021 09:51:01 (dcatest04-5) [] Cryptographic issues encountered during cert step: unsafe p value so small specific l required
15 Nov 2021 09:51:01 (dcatest04-5) [] Unable to complete gsi authentication to fndcatemp1.fnal.gov:1095, channel ef39d639, stream 1, session 02000000A67500001900000002000000: org.dcache.xrootd.core.XrootdException: Could not complete cert step: an error occurred during cryptographic operations..

The Bouncy Castle code has become less tolerant as to the prime number (P) value used for the DH exchange.

Recognizing a potential backward compatibility issue, however, the developers also added the possibility to override this check. If we set the Java security property:

org.bouncycastle.dh.allow_unsafe_p_value=true

on the pools, then we no longer get the error and the transfer proceeds normally.

We can of course live with the override of the safety check for the moment, but this should be understood as a workaround and not a permanent fix. The better thing to do is to have xrootd emit a longer/safer P value on the GSI handshake. dCache, for instance, has used (for quite a while now) a 512-bit OpenSSL generated 'safe' number. Here is the comparable log statement from our TPC client when a dCache door is the source:

Remote endpoint sent: P = 8810252053191919589359420599637641654529526533255167910139019997260323899182669360368264455955601543214780189083983437542290860708561316883421676261825939, G = 2, L = 0

Thanks, Al

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1556", "url": "https://github.com/xrootd/xrootd/issues/1556", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1