Bug 4186 - Some GRAM security errors less informative than before
: Some GRAM security errors less informative than before
Status: NEW
: XIO
GlobusIO
: 4.0.1
: All All
: P3 minor
: ---
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2006-01-31 17:04 by
Modified: 2006-02-01 14:24 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2006-01-31 17:04:22
Some security-related error messages returned by globusrun have become less
informative than 
previously.

An example is when the gatekeeper is missing a CA certificate needed to
authenticate a client. In 
Globus 2.4.3, globusrun reports this:
---------------
nostos(43)% globusrun -a -r fngp-osg.fnal.gov

GRAM Authentication test failure: authentication failed:
GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:

init.c:499: globus_gss_assist_init_sec_context_async: Error during context
initialization
init_sec_context.c:171: gss_init_sec_context: SSLv3 handshake problems
globus_i_gsi_gss_utils.c:888: globus_i_gsi_gss_handshake: Unable to verify
remote side's credentials
globus_i_gsi_gss_utils.c:847: globus_i_gsi_gss_handshake: Unable to verify
remote side's credentials: 
Couldn't verify the remote certificate
OpenSSL Error: s3_pkt.c:1046: in library: SSL routines, function
SSL3_READ_BYTES: sslv3 alert bad 
certificate
nostos(44)% setenv X509_USER_PROXY/tmp/x
X509_USER_PROXY/tmp/ not found

nostos(44)%
---------------

However, in Globus 4.0.1, globusrun reports this:
---------------
nostos(47)% globusrun -a -r fngp-osg.fnal.gov

GRAM Authentication test failure: authentication with the remote server failed
nostos(48)% 
---------------

It would be nice to have the more informative messages back.
------- Comment #1 From 2006-02-01 14:24:21 -------
I think this is a bug in the code Globus IO / XIO compatibility layer. It is
not
turning all gssapi errors into GLOBUS_IO_ERROR_TYPE_SECURITY_FAILED type (or
children of that type) errors. Only authorization failed is handled, not
defective credentials (as in this case) or others.