[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] SSL authentication problem



On Jun 2, 2008, at 6:00 AM, Smith, Ian wrote:

Hi,

After seeing the SSL tutorial on the Condor Week pages I thought I'd
give it another go. Things are fine under unix (solaris 9) but it
seems to fail completely under Windows XP. The Master log reports
this:

6/2 11:41:52 SECMAN: new session, doing initial authentication.
6/2 11:41:52 HANDSHAKE: in handshake(my_methods = 'SSL')
6/2 11:41:52 HANDSHAKE: handshake() - i am the server
6/2 11:41:52 HANDSHAKE: client sent (methods == 256)
6/2 11:41:52 HANDSHAKE: i picked (method == 256)
6/2 11:41:52 HANDSHAKE: client received (method == 256)
6/2 11:41:52 CADIR:      'c:\condor\ssl'
6/2 11:41:52 CERTFILE:   'c:\condor\ssl\host.crt'
6/2 11:41:52 KEYFILE:    'c:\condor\ssl\host.key'
6/2 11:41:52 CIPHERLIST: 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
6/2 11:41:52 Trying to accept.
6/2 11:41:52 Accept returned -1.
6/2 11:41:52 SSL: trying to continue reading.
6/2 11:41:52 Round 1.
6/2 11:41:52 Receive message.
6/2 11:41:52 Received message (2).
6/2 11:41:52 Status (c: 2, s: 2)
6/2 11:41:52 Trying to accept.
6/2 11:41:52 Accept returned -1.
6/2 11:41:52 SSL: trying to continue reading.
6/2 11:41:52 Round 2.
6/2 11:41:52 Send message (2).
6/2 11:41:52 Status (c: 2, s: 2)
6/2 11:41:52 Trying to accept.
6/2 11:41:52 Accept returned -1.
6/2 11:41:52 SSL: trying to continue reading.
6/2 11:41:52 Round 3.
6/2 11:41:52 Receive message.
6/2 11:41:52 Received message (3).
6/2 11:41:52 Status (c: 3, s: 2)
6/2 11:41:52 SSL Authentication failed

Any idea what is wrong ? I've got the DEBUG cranked up to full but is there any way of getting more info about the problem that might be meaningful to the openssl people ? I'm using the latest openssl binary distro and Condor 7.0.1. I'm sure that I've had the authentication working in the past but got
bogged down in the authorization details.

It looks to me like the client is rejecting the credentials of the server. What is the master communicating with here? What does the log look like on the client side? The client side logs should show more detail about why the credentials are being rejected.

Is the server credential valid? Does the client have access to the ca certificate that issued host.crt?


any help would be much appreciated,

regards,

-ian.

PS I'm still at loss to see what is stopping malicious users just copying the host cert elsewhere. Unless it can be made readable only by the Condor
processes under Windows ??

I believe that it can be. Condor processes usually run as 'system' so if you configure your permissions so that only 'system' and administrators can access 'c:\condor\ssl', the users shouldn't be able to access those files, but the Condor daemons should be able to.

Cheers,

-Ian



-------------------------------------------
Dr. Ian C. Smith,
e-Science Team,
University of Liverpool
Computing Services Department.