 |
 |
While enabling ztn in our eosatlas instance, we realized some clients that didn't have any certificate configuration in place where not able to connect to the instance at all. According to comments in the code [1] and the documentation, it was my understanding that if ztn fails for whatever reason the other non-TLS required protocols would still be attempted - however this is not the case.
As an example we use the following configuration on the server side:
sec.protocol ztn
sec.protbind * only ztn krb5 gsi sss unix
This gives the following error on the client side, from a machine where the /etc/grid-security/certificates/ directory is missing or even if it exists and it's empty:
....
[2023-05-31 15:23:43.905613 +0200][Dump ][Utility ] Path:
[2023-05-31 15:23:43.905651 +0200][Debug ][PostMaster ] Creating new channel to: roots://eosatlas-ns-ip700.cern.ch:2001/
[2023-05-31 15:23:43.905814 +0200][Debug ][PostMaster ] [eosatlas-ns-ip700.cern.ch:2001] Stream parameters: Network Stack: IPAuto, Connection Window: 120, ConnectionRetry: 5, Stream Error Window: 1800
[2023-05-31 15:23:43.905854 +0200][Debug ][TaskMgr ] Registering task: "TickGeneratorTask for: roots://eosatlas-ns-ip700.cern.ch:2001/" to be run at: [2023-05-31 15:23:58 +0200]
[2023-05-31 15:23:43.905873 +0200][Dump ][PostMaster ] [eosatlas-ns-ip700.cern.ch:2001] Sending message kXR_stat (path: /eos/, flags: none) (0x10714f0) through substream 0 expecting answer at 0
[2023-05-31 15:23:43.905943 +0200][Debug ][PostMaster ] [eosatlas-ns-ip700.cern.ch:2001] Found 1 address(es): [::ffff:128.142.52.31]:2001
[2023-05-31 15:23:43.906024 +0200][Debug ][AsyncSock ] [eosatlas-ns-ip700.cern.ch:2001.0] Attempting connection to [::ffff:128.142.52.31]:2001
[2023-05-31 15:23:43.906099 +0200][Debug ][Poller ] Adding socket 0x1076440 to the poller
[2023-05-31 15:23:43.906407 +0200][Debug ][AsyncSock ] [eosatlas-ns-ip700.cern.ch:2001.0] Async connection call returned
[2023-05-31 15:23:43.906479 +0200][Debug ][XRootDTransport ] [eosatlas-ns-ip700.cern.ch:2001.0] Sending out the initial hand shake + kXR_protocol
[2023-05-31 15:23:43.906525 +0200][Dump ][AsyncSock ] [eosatlas-ns-ip700.cern.ch:2001.0] Wrote a message: (0x68000950), 44 bytes
[2023-05-31 15:23:44.094428 +0200][Dump ][XRootDTransport ] [msg: 0x68000ab0] Expecting 8 bytes of message body
[2023-05-31 15:23:44.094470 +0200][Dump ][AsyncSock ] [eosatlas-ns-ip700.cern.ch:2001.0] Received message header, size: 8
[2023-05-31 15:23:44.094490 +0200][Dump ][AsyncSock ] [eosatlas-ns-ip700.cern.ch:2001.0] Received a message of 16 bytes
[2023-05-31 15:23:44.094510 +0200][Debug ][XRootDTransport ] [eosatlas-ns-ip700.cern.ch:2001.0] Got the server hand shake response (type: manager [], protocol version 511)
[2023-05-31 15:23:44.094532 +0200][Dump ][XRootDTransport ] [msg: 0x68000ab0] Expecting 8 bytes of message body
[2023-05-31 15:23:44.094538 +0200][Dump ][AsyncSock ] [eosatlas-ns-ip700.cern.ch:2001.0] Received message header, size: 8
[2023-05-31 15:23:44.094547 +0200][Dump ][AsyncSock ] [eosatlas-ns-ip700.cern.ch:2001.0] Received a message of 16 bytes
[2023-05-31 15:23:44.094561 +0200][Debug ][XRootDTransport ] [eosatlas-ns-ip700.cern.ch:2001.0] kXR_protocol successful (type: manager [], protocol version 511)
[2023-05-31 15:23:44.094827 +0200][Debug ][XRootDTransport ] [eosatlas-ns-ip700.cern.ch:2001.0] Sending out kXR_login request, username: esindril, cgi: xrd.cc=ch&xrd.tz=1&xrd.appname=xrdfs&xrd.info=&xrd.hostname=elvin-dev01.cern.ch&xrd.rn=v5.5.5, dual-stack: true, private IPv4:
false, private IPv6: false
[2023-05-31 15:23:44.094854 +0200][Debug ][AsyncSock ] [eosatlas-ns-ip700.cern.ch:2001.0] TLS hand-shake exchange.
[2023-05-31 15:23:44.104932 +0200][Debug ][AsyncSock ] [eosatlas-ns-ip700.cern.ch:2001.0] TLS hand-shake exchange.
[2023-05-31 15:23:44.105438 +0200][Error ][TlsMsg ] [] TLS error rc=-1 ec=1 (error_ssl) errno=0.
[2023-05-31 15:23:44.105486 +0200][Debug ][TlsMsg ] [] 140447345358592:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264:
[2023-05-31 15:23:44.105507 +0200][Error ][TlsMsg ] Failed to do TLS connect: Unable to connect to eosatlas-ns-ip700.cern.ch; error_ssl
[2023-05-31 15:23:44.105526 +0200][Error ][AsyncSock ] [eosatlas-ns-ip700.cern.ch:2001.0] Socket error while handshaking: [FATAL] TLS error: resource temporarily unavailable
[2023-05-31 15:23:44.105536 +0200][Debug ][AsyncSock ] [eosatlas-ns-ip700.cern.ch:2001.0] Closing the socket
[2023-05-31 15:23:44.105550 +0200][Debug ][Poller ] <[::ffff:137.138.124.135]:50036><--><[::ffff:128.142.52.31]:2001> Removing socket from the poller
[2023-05-31 15:23:44.105662 +0200][Error ][PostMaster ] [eosatlas-ns-ip700.cern.ch:2001] elapsed = 1, pConnectionWindow = 120 seconds.
[2023-05-31 15:23:44.105694 +0200][Error ][PostMaster ] [eosatlas-ns-ip700.cern.ch:2001] Unable to recover: [FATAL] TLS error: resource temporarily unavailable.
[2023-05-31 15:23:44.105710 +0200][Error ][XRootD ] [eosatlas-ns-ip700.cern.ch:2001] Impossible to send message kXR_stat (path: /eos/, flags: none). Trying to recover.
[2023-05-31 15:23:44.105722 +0200][Debug ][XRootD ] [eosatlas-ns-ip700.cern.ch:2001] Handling error while processing kXR_stat (path: /eos/, flags: none): [FATAL] TLS error: resource temporarily unavailable.
[2023-05-31 15:23:44.105740 +0200][Info ][XRootD ] [eosatlas-ns-ip700.cern.ch:2001] Retrying request: kXR_stat (path: /eos/, flags: none).
[2023-05-31 15:23:44.105779 +0200][Dump ][Utility ] URL: fake://fake:111//eos/
....
I guess this is an incorrectly implemented client behavior?! Assuming this can be easily fixed, is there anything that can be done server side for old clients that are already out?
Thanks!
[1] https://github.com/xrootd/xrootd/blob/master/src/XrdXrootd/XrdXrootdConfig.cc#L628
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1