Re: [HTCondor-users] GSI how-to using outdated digest algorithm

[Zach Miller <zmiller@xxxxxxxxxxx>]

Hi Lukas,

Thanks for the report.  I think it's best if we just put newer versions of the credentials on the wiki page.  I'll try to get this done today and I'll let you know when they're ready.


Cheers,
-zach


> -----Original Message-----
> From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of
> Koschmieder, Lukas
> Sent: Thursday, April 05, 2018 4:44 AM
> To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
> Subject: [HTCondor-users] GSI how-to using outdated digest algorithm
> 
> Hi,
> 
> I'm trying to set up a GSI test environment following the instructions in
> your wiki https://htcondor-wiki.cs.wisc.edu/index.cgi/wiki?p=WisdomGsiSetup
> <https://htcondor-wiki.cs.wisc.edu/index.cgi/wiki?p=WisdomGsiSetup> . All
> HTCondor daemons spawn correctly but the communication between the daemons
> doesn't work.
> 
> According to MasterLog the reason is that Globus won't verify the
> credentials due to "unknown message digest algorithm". It seems that the
> outdated MD5 algorithm was used to create the sample certificates and newer
> OpenSSL versions do no longer support MD5 as a signature algorithm. I was
> wondering if
> 
> 
> 
> 1.	you're aware of some easy way to re-enable MD5 in OpenSSL.
> 2.	you could update the TAR archive in your wiki using the recommended
> SHA-256 algorithm instead of MD5.
> 
> 
> Best regards,
> Lukas
> 
> 04/05/18 10:22:25 SECMAN: command 2 UPDATE_MASTER_AD to collector tux-
> vbox.iehk.rwth-aachen.de:9618?sock=collector from TCP port 7676 (non-
> blocking).
> 04/05/18 10:22:25 SECMAN: waiting for TCP connection to collector tux-
> vbox.iehk.rwth-aachen.de:9618?sock=collector.
> 04/05/18 10:22:25 SECMAN: resuming command 2 UPDATE_MASTER_AD to collector
> tux-vbox.iehk.rwth-aachen.de:9618?sock=collector from TCP port 7676 (non-
> blocking).
> 04/05/18 10:22:25 SECMAN: resuming command 2 UPDATE_MASTER_AD to collector
> tux-vbox.iehk.rwth-aachen.de:9618?sock=collector from TCP port 7676 (non-
> blocking).
> 04/05/18 10:22:25 SECMAN: new session, doing initial authentication.
> 04/05/18 10:22:25 SECMAN: Auth methods: GSI
> 04/05/18 10:22:25 AUTHENTICATE: setting timeout for
> <137.226.129.230:9618?alias=tux-vbox.iehk.rwth-aachen.de&sock=collector> to
> 20.
> 04/05/18 10:22:25 HANDSHAKE: in handshake(my_methods = 'GSI')
> 04/05/18 10:22:25 HANDSHAKE: handshake() - i am the client
> 04/05/18 10:22:25 HANDSHAKE: sending (methods == 32) to server
> 04/05/18 10:22:25 HANDSHAKE: server replied (method = 32)
> 04/05/18 10:22:25 Condor GSI authentication failure
> GSS Major Status: Authentication Failed
> GSS Minor Status Error Chain:
> globus_gss_assist: Error during context initialization
> globus_gsi_callback_module: Could not verify credential
> globus_gsi_callback_module: Could not verify credential: certificate
> signature failure
> OpenSSL Error: a_verify.c:206: in library: asn1 encoding routines, function
> ASN1_item_verify: unknown message digest algorithm
> 04/05/18 10:22:25 AUTHENTICATE: method 32 (GSI) failed.
> 04/05/18 10:22:25 HANDSHAKE: in handshake(my_methods = '')
> 04/05/18 10:22:25 HANDSHAKE: handshake() - i am the client
> 04/05/18 10:22:25 HANDSHAKE: sending (methods == 0) to server
> 04/05/18 10:22:25 HANDSHAKE: server replied (method = 0)
> 04/05/18 10:22:25 SECMAN: required authentication with collector tux-
> vbox.iehk.rwth-aachen.de:9618?sock=collector failed, so aborting command
> UPDATE_MASTER_AD.
> 04/05/18 10:22:25 ERROR: AUTHENTICATE:1003:Failed to authenticate with any
> method|AUTHENTICATE:1004:Failed to authenticate using GSI|GSI:5004:Failed
> to authenticate.  Globus is reporting error (655360:1583)
> 04/05/18 10:22:25 Failed to start non-blocking update to
> <137.226.129.230:9618>.