Re: [Condor-users] Enabling SSL encryption in Condor

[Pascal Jermini <pascal+condor@xxxxxxxxxxxxxxxx>]

Hello,

> Can you send the entire schedd logfile to condor-admin@xxxxxxxxxxx? I'm
> very interested in seeing the case where it works when you use 
> FS and then SSL.

Logfile has been sent, and got assigned ticket number #14017.

While we are at it, I've tried to enable SSL also on Windows-based machines,
but the experience was very short, with a crash of the master daemon, which generated
the following stack trace:

//=====================================================
Exception code: C00000FD STACK_OVERFLOW
Fault address:  0046E947 01:0006D947 C:\condor\bin\condor_master.exe

Registers:
EAX:00003508
EBX:00967620
ECX:00A52574
EDX:009602F0
ESI:00967F80
EDI:00967D30
CS:EIP:001B:0046E947
SS:ESP:0023:00B4F56C  EBP:00B4F5E4
DS:0023  ES:0023  FS:003B  GS:0000
Flags:00010202

Call stack:
Address   Frame
0046E947  00B4F5E4  _alloca_probe+17
0045E3AA  00B4F600  Authentication::authenticate+15
0045743C  00B4F630  ReliSock::perform_authenticate+7A
00457492  00B4F644  ReliSock::authenticate+13
0045ABD9  00B4FD6C  SecManStartCommand::startCommand_inner+111A
00459A8D  00B4FD78  SecManStartCommand::startCommand+C
0045B601  00B4FDEC  SecManStartCommand::TCPAuthConnected_inner+A0
0045B38C  00B4FE0C  SecManStartCommand::TCPAuthConnected+59
004375E0  00B4FE58  DaemonCore::Driver+97C
0043F2ED  00B4FF90  dc_main+AFA
00405213  00B4FFA0  ServiceMain+5B
77DEB48B  00B4FFB4  CryptVerifySignatureW+29
7C80B50B  00B4FFEC  GetModuleFileNameA+1B4

and similarly a crash of the startd:

//=====================================================
Exception code: C00000FD STACK_OVERFLOW
Fault address:  00481A37 01:00080A37 C:\condor\bin\condor_startd.exe

Registers:
EAX:00004508
EBX:00A61650
ECX:00032AA0
EDX:00A50230
ESI:00A62C40
EDI:00A62FC0
CS:EIP:001B:00481A37
SS:ESP:0023:0012EA98  EBP:0012EB10
DS:0023  ES:0023  FS:003B  GS:0000
Flags:00010202

Call stack:
Address   Frame
00481A37  0012EB10  _chkstk+17
00450405  0012EB2C  Authentication::authenticate+15
00449EFF  0012EB5C  ReliSock::perform_authenticate+7A
00449F55  0012EB70  ReliSock::authenticate+13
0044D21D  0012F298  SecManStartCommand::startCommand_inner+111A
0044C0D1  0012F2A4  SecManStartCommand::startCommand+C
0044DC45  0012F318  SecManStartCommand::TCPAuthConnected_inner+A0
0044C8D8  0012FA3C  SecManStartCommand::startCommand_inner+7D5
0044C0D1  0012FA48  SecManStartCommand::startCommand+C
0044BF4E  0012FA68  SecMan::startCommand+88
004225E1  0012FAD0  Daemon::startCommand+1E5
004229EB  0012FB14  Daemon::startCommand+1CF
00422B3A  0012FB48  Daemon::startCommand+23
004330B8  0012FB78  DCCollector::sendUDPUpdate+7B
00432FB7  0012FC10  DCCollector::sendUpdate+22E
00425E3F  0012FC34  CollectorList::sendUpdates+4D
0040AACC  0012FC4C  ResMgr::send_update+24
0040C95D  0012FDB8  Resource::final_update+80
0040A572  0012FDC4  ResMgr::walk+1A
0040AA98  0012FDCC  ResMgr::final_update+10
00415A24  0012FDDC  startd_exit+5A
00463DD2  0012FDF8  handle_dc_sigterm+B5
0040AAF9  0012FE30  ResMgr::first_eval_and_update_all+26
0046490D  0012FF68  dc_main+AFA
00464A1C  0012FF80  main+CE
00481B14  00000001  mainCRTStartup+C5

The (famous) last words of the daemons in the logs:

7/19 11:16:55 (fd:3) (pid:2740) AUTHENTICATE: can still try these methods: SSL
7/19 11:16:55 (fd:3) (pid:2740) HANDSHAKE: in handshake(my_methods = 'SSL')
7/19 11:16:55 (fd:3) (pid:2740) HANDSHAKE: handshake() - i am the client
7/19 11:16:55 (fd:3) (pid:2740) HANDSHAKE: sending (methods == 256) to server
7/19 11:16:55 (fd:3) (pid:2740) condor_read(): nfds=0
7/19 11:16:55 (fd:3) (pid:2740) condor_read(): nfound=1
7/19 11:16:55 (fd:3) (pid:2740) condor_read(): nfds=0
7/19 11:16:55 (fd:3) (pid:2740) condor_read(): nfound=1
7/19 11:16:55 (fd:3) (pid:2740) HANDSHAKE: server replied (method = 256)
7/19 11:16:55 (fd:3) (pid:2740) AUTHENTICATE: will try to use 256 (SSL)

Pascal