Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] SSL authentication problem
- Date: Thu, 5 Jun 2008 10:05:39 +0100
- From: "Smith, Ian" <I.C.Smith@xxxxxxxxxxxxxxx>
- Subject: Re: [Condor-users] SSL authentication problem
> -----Original Message-----
> From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-
> bounces@xxxxxxxxxxx] On Behalf Of Ian Alderman
> Sent: 04 June 2008 18:20
> To: Condor-Users Mail List
> Subject: Re: [Condor-users] SSL authentication problem
>
> On Jun 2, 2008, at 6:00 AM, Smith, Ian wrote:
>
> > Hi,
> >
> > After seeing the SSL tutorial on the Condor Week pages I thought I'd
> > give it another go. Things are fine under unix (solaris 9) but it
> > seems to fail completely under Windows XP. The Master log reports
> > this:
> >
> > 6/2 11:41:52 SECMAN: new session, doing initial authentication.
> > 6/2 11:41:52 HANDSHAKE: in handshake(my_methods = 'SSL')
> > 6/2 11:41:52 HANDSHAKE: handshake() - i am the server
> > 6/2 11:41:52 HANDSHAKE: client sent (methods == 256)
> > 6/2 11:41:52 HANDSHAKE: i picked (method == 256)
> > 6/2 11:41:52 HANDSHAKE: client received (method == 256)
> > 6/2 11:41:52 CADIR: 'c:\condor\ssl'
> > 6/2 11:41:52 CERTFILE: 'c:\condor\ssl\host.crt'
> > 6/2 11:41:52 KEYFILE: 'c:\condor\ssl\host.key'
> > 6/2 11:41:52 CIPHERLIST: 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
> > 6/2 11:41:52 Trying to accept.
> > 6/2 11:41:52 Accept returned -1.
> > 6/2 11:41:52 SSL: trying to continue reading.
> > 6/2 11:41:52 Round 1.
> > 6/2 11:41:52 Receive message.
> > 6/2 11:41:52 Received message (2).
> > 6/2 11:41:52 Status (c: 2, s: 2)
> > 6/2 11:41:52 Trying to accept.
> > 6/2 11:41:52 Accept returned -1.
> > 6/2 11:41:52 SSL: trying to continue reading.
> > 6/2 11:41:52 Round 2.
> > 6/2 11:41:52 Send message (2).
> > 6/2 11:41:52 Status (c: 2, s: 2)
> > 6/2 11:41:52 Trying to accept.
> > 6/2 11:41:52 Accept returned -1.
> > 6/2 11:41:52 SSL: trying to continue reading.
> > 6/2 11:41:52 Round 3.
> > 6/2 11:41:52 Receive message.
> > 6/2 11:41:52 Received message (3).
> > 6/2 11:41:52 Status (c: 3, s: 2)
> > 6/2 11:41:52 SSL Authentication failed
> >
> > Any idea what is wrong ? I've got the DEBUG cranked up to full but
> > is there
> > any way of getting more info about the problem that might be
> > meaningful to
> > the openssl people ? I'm using the latest openssl binary distro and
> > Condor
> > 7.0.1. I'm sure that I've had the authentication working in the past
> > but got
> > bogged down in the authorization details.
>
> It looks to me like the client is rejecting the credentials of the
> server. What is the master communicating with here? What does the
> log look like on the client side? The client side logs should show
> more detail about why the credentials are being rejected.
>
> Is the server credential valid? Does the client have access to the ca
> certificate that issued host.crt?
>
I eventually found out where the problem was by a rather round about route. I went
back to v. 6.8.4 and found some extra debug messages in the log files
which indicated that the CA file couldn't be located. Then I noticed a
typo in my config file (CA_FILE instead of CAFILE). When I fixed that
*AND* took out the CADIR macros then it worked fine.
Interesting to know why the extra debug disappeared in 7.0.1 though.
thanks,
-ian.