Bug 6901 – mutal auth in init_context fails for generic service

Bug 6901 - mutal auth in init_context fails for generic service

Summary:

mutal auth in init_context fails for generic service

Status:	NEW

Product:	GSI C
Component:	Authorization
Version:	4.2.1
Platform:	PC Linux

Importance:	P3 normal
Target Milestone:	---
Assigned To:	Joe Bester

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2009-12-17 10:54 by mike coyne
Modified:	2009-12-17 13:34 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From mike coyne 2009-12-17 10:54:11

In working with getting afs interoperatabliy with the current globus version
4.2.1 i ran into a issue where the gssklog Version 0.11 utility was nolonger
able to work after say version 4.0.9 (vdt) due to a failure in mutal auth when
establishing the inital context. The deamon uses a service key gssklog/<fqdn>
and is looking for gssklog@<fqdn> ... the inital context fails comparing the
two hostnames 

origial link ftp://achilles.ctd.anl.gov/pub/DEE/
referance link http://www.hep.man.ac.uk/u/masj/gssklog/


There seems to be problem with getting mutual auth to work for the
globus service gssklog in the client application gssklog. the call to
gss_init_sec_context() fails comparing the returned CN with the expected
service/fqdn.  After some tracing i found if i added the service gssklog
to the globus_i_gsi_gssapi_get_hostname() function ( see below ) the
mutual auth worked as expected. This seemed to be a bit extreme to get
the mutual auth to work for a generic service as the only services
listed in the function were host/ and ftp/. I am wondering if i may have
missed something? 

Mike Coyne 

-------------cut-line---------------
Index:
trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_utils.c
===================================================================
---
trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_utils.c
(revision 540)
+++
trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_utils.c
(revision 613)
@@ -2530,7 +2530,12 @@
         {
             length = name_entry->value->length;
             data = name_entry->value->data;
-            if ( length > 5 && !strncasecmp((char *) data, "host/", 5))
+            if ( length > 8 && !strncasecmp((char *) data, "gssklog/",
8))
+            {
+                length -= 8;
+                data += 8;
+            }
+            else  if ( length > 5 && !strncasecmp((char *) data,
"host/", 5))
             {
                 length -= 5;
                 data += 5;
-------------cut-line---------------

------- Comment #1 From Joe Bester 2009-12-17 12:56:07 -------

I think I fixed this a while back but it never made it out to a release because
our release process got gummed up.  

Can you try the update package at
http://www.mcs.anl.gov/~bester/patches/globus_gssapi_gsi-5.17.tar.gz
and see if that addresses your problem? If so I'll try to get it out to the
toolkit updates page.

------- Comment #2 From mike coyne 2009-12-17 13:19:47 -------

Starting GANGLIA gssklogd: len=36, name=/CN=gssklog/styx.pbdenton.paccar.com
GSS-error acquiring credentials: major:000d0000 minor:00000004
GSS Major Status: General failure

GSS Minor Status Error Chain:
acquire_cred.c:gss_acquire_cred:148:
Error with GSI credential
globus_i_gsi_gss_utils.c:globus_i_gsi_gss_cred_read:1409:
Error with gss credential handle
globus_i_gsi_gss_utils.c:globus_i_gsi_gss_create_cred:1607:
Error with gss credential handle
globus_i_gsi_gss_utils.c:globus_i_gsi_gssapi_init_ssl_context:2175:
Error with openssl: Can't initialize the SSL_CTX
OpenSSL Error: ssl_lib.c:1432: in library: SSL routines, function SSL_CTX_new:
library has no ciphers

Similary on client side... 

i did a gss-build -force .......tar.gz gcc64dbg gcc64dbgpthr

wonder if i need something else to go with it?
mcoyne@styx.pbdenton.paccar.com:/common/temp/gssbuild10/gssklog-0.12 #
globus-job-run styx /bin/date
gram_init failure:
GSS Major Status: General failure
GSS Minor Status Error Chain:
acquire_cred.c:gss_acquire_cred:148:
Error with GSI credential
globus_i_gsi_gss_utils.c:globus_i_gsi_gss_cred_read:1409:
Error with gss credential handle
globus_i_gsi_gss_utils.c:globus_i_gsi_gss_create_cred:1607:
Error with gss credential handle
globus_i_gsi_gss_utils.c:globus_i_gsi_gssapi_init_ssl_context:2175:
Error with openssl: Can't initialize the SSL_CTX
OpenSSL Error: ssl_lib.c:1432: in library: SSL routines, function SSL_CTX_new:
library has no ciphers

------- Comment #3 From Joe Bester 2009-12-17 13:34:58 -------

Try also installing
http://www.mcs.anl.gov/~bester/patches/globus_openssl_module-0.8.tar.gz 

The call to SSL_library_init() got moved to that module since 4.2.1.