Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] GSI how-to using outdated digest algorithm
- Date: Thu, 5 Apr 2018 19:22:21 +0000
- From: Zach Miller <zmiller@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] GSI how-to using outdated digest algorithm
Hello,
If you look at the wiki here:
https://htcondor-wiki.cs.wisc.edu/index.cgi/wiki?p=WisdomGsiSetup
I have attached a new tarball containing updated certificates and keys. These use SHA256 instead of MD5.
I also attached a tarball containing the script I used to generate that tarball, should you ever want to do this again on your own.
Thanks again for the report and let me know if you have any trouble.
Cheers,
-zach
> -----Original Message-----
> From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Zach
> Miller
> Sent: Thursday, April 05, 2018 11:41 AM
> To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
> Subject: Re: [HTCondor-users] GSI how-to using outdated digest algorithm
>
> Hi Lukas,
>
> Thanks for the report. I think it's best if we just put newer versions of
> the credentials on the wiki page. I'll try to get this done today and I'll
> let you know when they're ready.
>
>
> Cheers,
> -zach
>
>
> > -----Original Message-----
> > From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of
> > Koschmieder, Lukas
> > Sent: Thursday, April 05, 2018 4:44 AM
> > To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
> > Subject: [HTCondor-users] GSI how-to using outdated digest algorithm
> >
> > Hi,
> >
> > I'm trying to set up a GSI test environment following the instructions in
> > your wiki https://htcondor-
> wiki.cs.wisc.edu/index.cgi/wiki?p=WisdomGsiSetup
> > <https://htcondor-wiki.cs.wisc.edu/index.cgi/wiki?p=WisdomGsiSetup> . All
> > HTCondor daemons spawn correctly but the communication between the
> daemons
> > doesn't work.
> >
> > According to MasterLog the reason is that Globus won't verify the
> > credentials due to "unknown message digest algorithm". It seems that the
> > outdated MD5 algorithm was used to create the sample certificates and
> newer
> > OpenSSL versions do no longer support MD5 as a signature algorithm. I was
> > wondering if
> >
> >
> >
> > 1. you're aware of some easy way to re-enable MD5 in OpenSSL.
> > 2. you could update the TAR archive in your wiki using the recommended
> > SHA-256 algorithm instead of MD5.
> >
> >
> > Best regards,
> > Lukas
> >
> > 04/05/18 10:22:25 SECMAN: command 2 UPDATE_MASTER_AD to collector tux-
> > vbox.iehk.rwth-aachen.de:9618?sock=collector from TCP port 7676 (non-
> > blocking).
> > 04/05/18 10:22:25 SECMAN: waiting for TCP connection to collector tux-
> > vbox.iehk.rwth-aachen.de:9618?sock=collector.
> > 04/05/18 10:22:25 SECMAN: resuming command 2 UPDATE_MASTER_AD to
> collector
> > tux-vbox.iehk.rwth-aachen.de:9618?sock=collector from TCP port 7676 (non-
> > blocking).
> > 04/05/18 10:22:25 SECMAN: resuming command 2 UPDATE_MASTER_AD to
> collector
> > tux-vbox.iehk.rwth-aachen.de:9618?sock=collector from TCP port 7676 (non-
> > blocking).
> > 04/05/18 10:22:25 SECMAN: new session, doing initial authentication.
> > 04/05/18 10:22:25 SECMAN: Auth methods: GSI
> > 04/05/18 10:22:25 AUTHENTICATE: setting timeout for
> > <137.226.129.230:9618?alias=tux-vbox.iehk.rwth-aachen.de&sock=collector>
> to
> > 20.
> > 04/05/18 10:22:25 HANDSHAKE: in handshake(my_methods = 'GSI')
> > 04/05/18 10:22:25 HANDSHAKE: handshake() - i am the client
> > 04/05/18 10:22:25 HANDSHAKE: sending (methods == 32) to server
> > 04/05/18 10:22:25 HANDSHAKE: server replied (method = 32)
> > 04/05/18 10:22:25 Condor GSI authentication failure
> > GSS Major Status: Authentication Failed
> > GSS Minor Status Error Chain:
> > globus_gss_assist: Error during context initialization
> > globus_gsi_callback_module: Could not verify credential
> > globus_gsi_callback_module: Could not verify credential: certificate
> > signature failure
> > OpenSSL Error: a_verify.c:206: in library: asn1 encoding routines,
> function
> > ASN1_item_verify: unknown message digest algorithm
> > 04/05/18 10:22:25 AUTHENTICATE: method 32 (GSI) failed.
> > 04/05/18 10:22:25 HANDSHAKE: in handshake(my_methods = '')
> > 04/05/18 10:22:25 HANDSHAKE: handshake() - i am the client
> > 04/05/18 10:22:25 HANDSHAKE: sending (methods == 0) to server
> > 04/05/18 10:22:25 HANDSHAKE: server replied (method = 0)
> > 04/05/18 10:22:25 SECMAN: required authentication with collector tux-
> > vbox.iehk.rwth-aachen.de:9618?sock=collector failed, so aborting command
> > UPDATE_MASTER_AD.
> > 04/05/18 10:22:25 ERROR: AUTHENTICATE:1003:Failed to authenticate with
> any
> > method|AUTHENTICATE:1004:Failed to authenticate using GSI|GSI:5004:Failed
> > to authenticate. Globus is reporting error (655360:1583)
> > 04/05/18 10:22:25 Failed to start non-blocking update to
> > <137.226.129.230:9618>.
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/