Re: [gt-user] Any known limitation in"globus_gss_assist_init_sec_context" ??

Thu, 31 Jul 2008 08:26:21 -0700

Openssl comes with a default "maximum depth" of a PKI chain it supports. That includes the CA and RA (if applicable). I suspect you might be hitting GT4.0.x's depth limit of 9. If you're using a CA+RA +Usercert+5 proxy, you might not be allowed to submit with delegation anymore because the delegation would take you to the depth limit.
It's a compiled-in limit that you can change. I believe we had a bug open about the max depth ... yep, it's http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=4994 . It should be fixed in 4.2 to be 100 instead. You can probably take that patch back to 4.0.x if you need the limit increased there too. 


Charles

On Jul 31, 2008, at 9:52 AM, Neha Sharma wrote:


Hi All


I am wondering if someone can provide me with some information about  
the  Globus function "globus_gss_assist_init_sec_context"



We have an authorization service and this globus function is used  
for performing handshake between the service and the client.



We observed that as long as the proxy is delegated up to 4 times, so  
that the DN is of form :



subject   : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/ 
CN=UID:neha


or

subject   : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/ 
CN=UID:neha/CN=proxy


or

subject   : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/ 
CN=UID:neha/CN=proxy/CN=proxy


or

subject   : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/ 
CN=UID:neha/CN=proxy/CN=proxy/CN=proxy


or

subject   : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/ 
CN=UID:neha/CN=proxy/CN=proxy/CN=proxy/CN=proxy


everything works fine.


However, if it is delegated 5th time and above, so that the DN in  
the proxy now has an extra "CN=proxy" , the client hangs on the  
handshake.


(The DN looks like:

subject   : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/ 
CN=UID:neha/CN=proxy/CN=proxy/CN=proxy/CN=proxy/CN=proxy)


The complete handshake function that is being used is below.


As you can see, all it does is invoke the globus function  
"lobus_gss_assist_init_sec_context"



So, I am wondering if there is some kind of limitation in this  
globus function, such as maximum length of user proxy or DN


int handshake(gss_cred_id_t credential_handle){

      OM_uint32 ret_flags=0;

       major_status =  
globus_gss_assist_init_sec_context(&minor_status,
                                                        
credential_handle,
                                                        
&global_context_handle,
                                                       "GSI-NO- 
TARGET",
                                                       // 
GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG,
                                                        
GSS_C_MUTUAL_FLAG,

                                                       &ret_flags,
                                                       &token_status,

                                                        
globus_gss_assist_token_get_fd,
                                                       (void *)  
socket_in_out_file,
                                                        
globus_gss_assist_token_send_fd,
                                                       (void *)  
socket_in_out_file);


       if(major_status != GSS_S_COMPLETE){

               logerr("Handshake Failed... major_status !=  
GSS_S_COMPLETE");

               return(GSS_FAILED_HANDSHAKE);
       }

       return(GSS_SUCCESS);
}

Thanks
-Neha

























					Reply via email to