Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
|
Package: htcondor Version: 8.7.10 Hi, we have encountered an unexpected failure with X509 authentication between HTCondor daemons. The hostname checking for the daemon’s SSL certificate fails if the DNS server returns multiple A records. It is caused by the problematic implementation
of the `get_full_hostname` method (https://github.com/htcondor/htcondor/blob/75b6f507a8be72dbe4fb17b61c0aa5049933522e/src/condor_utils/ipv6_hostname.cpp#L415),
which returns only the first domain name of the PTR records (reverse DNS records). However, according to the DNS standard, the order of those PTR records cannot be guaranteed. Therefore, the authentication fails from time to time depending on whether
the first record matches the common name in the x509 certificate. Best regards, Mingxuan Lin |