Print

Print
Yujun,

There may be security issues with this, but you might be able to get around this by setting

```
export XrdSecGSITRUSTDNS=1
```

I know that the xroot team discourages this, but you might see if it works.

This would have to be done on the client side.  If there is not way of changing the client environment, then ignore this suggestion.

Cheers, Al

________________________________________________
Albert L. Rossi
Senior Software Developer
Scientific Computing Division, Scientific Data Services, Distributed Data Development
WH 566
Fermi National Accelerator Laboratory
Batavia, IL 60510
(630) 840-3023

From: [log in to unmask] <[log in to unmask]> on behalf of Bockjoo Kim <[log in to unmask]>
Sent: Monday, February 20, 2023 11:28 AM
To: Yujun Wu <[log in to unmask]>; Yujun Wu <[log in to unmask]>; xrootd-l <[log in to unmask]>
Cc: David A Mason <[log in to unmask]>; Chih-Hao Huang <[log in to unmask]>
Subject: Re: Help with hostname not in SAN extension TLS error
 

You might have to set up a separate host for the top level site redirector

within one of the site  redirectors or using a separate machine.

Again, I hope you don't have to do this.

Bockjoo

On 2/20/23 12:20, Yujun Wu wrote:
Hi Bockjoo,

Thanks a lot for your info. Really hope this is NOT true,  otherwise we need to tell local users to use individual host names.


Regards,
Yujun
From: [log in to unmask] <[log in to unmask]> on behalf of Bockjoo Kim <[log in to unmask]>
Sent: Monday, February 20, 2023 11:14 AM
To: Yujun Wu <[log in to unmask]>; xrootd-l <[log in to unmask]>
Cc: David A Mason <[log in to unmask]>; Chih-Hao Huang <[log in to unmask]>
Subject: Re: Help with hostname not in SAN extension TLS error
 

Hi Yujun,

My understanding is that the Subject Alternative Name(SAN) does not work with xrootd.

SAN worked with the gridftp, though.

I think xrootd knows only one hostname (either through $(/bin/hostname -f) or through /etc/sysconfig/xrootd).

Only one hostname is valid in xrootd, I think.

I hope this is not true.

Bockjoo

On 2/20/23 12:01, Yujun Wu wrote:
Good morning XRootD experts, 

We have 3 site XRootD redirectors at FNAL and an alias for them:

$ host cmsxrootd-site.fnal.gov

cmsxrootd-site.fnal.gov has address 131.225.205.75

cmsxrootd-site.fnal.gov has address 131.225.188.52

cmsxrootd-site.fnal.gov has address 131.225.205.239


[enstore@fndca2b ~]$ host 131.225.205.75

75.205.225.131.in-addr.arpa domain name pointer cmsxrootd-site1.fnal.gov.

[enstore@fndca2b ~]$ host 131.225.205.239

239.205.225.131.in-addr.arpa domain name pointer cmsxrootd-site2.fnal.gov.

[enstore@fndca2b ~]$ host 131.225.188.52

52.188.225.131.in-addr.arpa domain name pointer cmsxrootd-site3.fnal.gov.


[root@cmsxrootd-site1 xrootd]# openssl x509 -text -noout -in /etc/grid-security/hostcert.pem

.......

 X509v3 Subject Alternative Name: 

                DNS:cmsxrootd-site1.fnal.gov, DNS:cmsxrootd-site.fnal.gov

....

[root@cmsxrootd-site2 ~]# openssl x509 -text -noout -in /etc/grid-security/hostcert.pem 

......

          X509v3 Subject Alternative Name: 

                DNS:cmsxrootd-site2.fnal.gov, DNS:cmsxrootd-site.fnal.gov


[root@cmsxrootd-site3 ~]# openssl x509 -text -noout -in /etc/grid-security/hostcert.pem

.......

           X509v3 Subject Alternative Name: 

                DNS:cmsxrootd-site3.fnal.gov, DNS:cmsxrootd-site.fnal.gov

....

------------------------------
However, our tests using the alias always fail with "hostname not in SAN extension" like these:

[enstore@fndca2b ~]$ xrdfs cmsxrootd-site.fnal.gov locate /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root

[FATAL] TLS error: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension.

[enstore@fndca2b ~]$ xrdfs cmsxrootd-site1.fnal.gov locate /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root

[2620:6a:0:8420::f8]:1093 Server Read

[enstore@fndca2b ~]$ xrdfs cmsxrootd-site2.fnal.gov locate /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root

[2620:6a:0:8420::f9]:1093 Server Read

[enstore@fndca2b ~]$  xrdfs cmsxrootd-site3.fnal.gov locate /store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root

[2620:6a:0:8421::243]:1093 Server Read


-----

[enstore@fndca2b ~]$ xrdcp -d 1 -f root://cmsxrootd-site.fnal.gov:1094///store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root /dev/null

[2023-02-20 10:57:43.404883 -0600][Error  ][TlsMsg            ] Failed to do TLS connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension.

[2023-02-20 10:57:43.404999 -0600][Error  ][AsyncSock         ] [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: [FATAL] TLS error

[2023-02-20 10:57:43.405216 -0600][Error  ][PostMaster        ] [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 seconds.

[2023-02-20 10:57:43.413492 -0600][Error  ][TlsMsg            ] Failed to do TLS connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension.

[2023-02-20 10:57:43.413567 -0600][Error  ][AsyncSock         ] [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: [FATAL] TLS error

[2023-02-20 10:57:43.413729 -0600][Error  ][PostMaster        ] [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 seconds.

[2023-02-20 10:57:43.419627 -0600][Error  ][TlsMsg            ] Failed to do TLS connect: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension.

[2023-02-20 10:57:43.419691 -0600][Error  ][AsyncSock         ] [cmsxrootd-site.fnal.gov:1094.0] Socket error while handshaking: [FATAL] TLS error

[2023-02-20 10:57:43.419852 -0600][Error  ][PostMaster        ] [cmsxrootd-site.fnal.gov:1094] elapsed = 0, pConnectionWindow = 120 seconds.

[2023-02-20 10:57:43.419933 -0600][Error  ][PostMaster        ] [cmsxrootd-site.fnal.gov:1094] Unable to recover: [FATAL] TLS error.

[2023-02-20 10:57:43.420009 -0600][Error  ][XRootD            ] [cmsxrootd-site.fnal.gov:1094] Impossible to send message kXR_open (file: //store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root, mode: 00, flags: kXR_open_read kXR_async kXR_retstat ). Trying to recover.

[0B/0B][100%][==================================================][0B/s]  

Run: [FATAL] TLS error: Unable to validate cmsxrootd-site.fnal.gov; hostname not in SAN extension. (source)

[enstore@fndca2b ~]$ xrdcp -d 1 -f root://cmsxrootd-site1.fnal.gov:1094///store/test/xrootd/T1_US_FNAL/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root /dev/null

[2023-02-20 10:58:02.693319 -0600][Info   ][AsyncSock         ] [cmsxrootd-site1.fnal.gov:1094.0] TLS hand-shake done.

[229.3MB/229.3MB][100%][==================================================][57.33MB/s]  

The same for cmsxrootd-site2 and cmsxrootd-site3. 


Could you please advise if we need add some options in the xrootd.cfg file?


Thanks in advance for any help on this.



Regards,

Yujun




Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1


Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1


Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1


Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1