Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] SSL authentication problem
- Date: Wed, 4 Jun 2008 12:20:26 -0500
- From: Ian Alderman <alderman@xxxxxxxxxxx>
- Subject: Re: [Condor-users] SSL authentication problem
On Jun 2, 2008, at 6:00 AM, Smith, Ian wrote:
Hi,
After seeing the SSL tutorial on the Condor Week pages I thought I'd
give it another go. Things are fine under unix (solaris 9) but it
seems to fail completely under Windows XP. The Master log reports
this:
6/2 11:41:52 SECMAN: new session, doing initial authentication.
6/2 11:41:52 HANDSHAKE: in handshake(my_methods = 'SSL')
6/2 11:41:52 HANDSHAKE: handshake() - i am the server
6/2 11:41:52 HANDSHAKE: client sent (methods == 256)
6/2 11:41:52 HANDSHAKE: i picked (method == 256)
6/2 11:41:52 HANDSHAKE: client received (method == 256)
6/2 11:41:52 CADIR: 'c:\condor\ssl'
6/2 11:41:52 CERTFILE: 'c:\condor\ssl\host.crt'
6/2 11:41:52 KEYFILE: 'c:\condor\ssl\host.key'
6/2 11:41:52 CIPHERLIST: 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
6/2 11:41:52 Trying to accept.
6/2 11:41:52 Accept returned -1.
6/2 11:41:52 SSL: trying to continue reading.
6/2 11:41:52 Round 1.
6/2 11:41:52 Receive message.
6/2 11:41:52 Received message (2).
6/2 11:41:52 Status (c: 2, s: 2)
6/2 11:41:52 Trying to accept.
6/2 11:41:52 Accept returned -1.
6/2 11:41:52 SSL: trying to continue reading.
6/2 11:41:52 Round 2.
6/2 11:41:52 Send message (2).
6/2 11:41:52 Status (c: 2, s: 2)
6/2 11:41:52 Trying to accept.
6/2 11:41:52 Accept returned -1.
6/2 11:41:52 SSL: trying to continue reading.
6/2 11:41:52 Round 3.
6/2 11:41:52 Receive message.
6/2 11:41:52 Received message (3).
6/2 11:41:52 Status (c: 3, s: 2)
6/2 11:41:52 SSL Authentication failed
Any idea what is wrong ? I've got the DEBUG cranked up to full but
is there
any way of getting more info about the problem that might be
meaningful to
the openssl people ? I'm using the latest openssl binary distro and
Condor
7.0.1. I'm sure that I've had the authentication working in the past
but got
bogged down in the authorization details.
It looks to me like the client is rejecting the credentials of the
server. What is the master communicating with here? What does the
log look like on the client side? The client side logs should show
more detail about why the credentials are being rejected.
Is the server credential valid? Does the client have access to the ca
certificate that issued host.crt?
any help would be much appreciated,
regards,
-ian.
PS I'm still at loss to see what is stopping malicious users just
copying
the host cert elsewhere. Unless it can be made readable only by the
Condor
processes under Windows ??
I believe that it can be. Condor processes usually run as 'system' so
if you configure your permissions so that only 'system' and
administrators can access 'c:\condor\ssl', the users shouldn't be able
to access those files, but the Condor daemons should be able to.
Cheers,
-Ian
-------------------------------------------
Dr. Ian C. Smith,
e-Science Team,
University of Liverpool
Computing Services Department.