You can use openssl with the s_connect option to probe the (remote) credential.
Example:
$ openssl s_client -connect cmsosgce3.fnal.gov:2119 -showcerts
-CApath /etc/grid-security/certificates -cert /tmp/x509up_u$UID
CONNECTED(00000003)
depth=2 /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1
verify return:1
depth=1 /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
verify return:1
depth=0 /DC=org/DC=doegrids/OU=Services/CN=cmsosgce3.fnal.gov
verify return:1
9901:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1086:SSL alert number 48
9901:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
-Keith.
At 12:17 PM -0600 12/5/11, JP Navarro wrote:
XSEDE would like its monitoring system (Inca) to access information
about a GridFTP server's X.509 certificate.
Is there a way to interact with a GridFTP server and retrieve server
certificate information?
Thanks,
JP
Begin forwarded message:
From: "Smallen, Shava" <[email protected]>
Subject: FW: Inca XSEDE Notification:
gridftp-nonstriped-auth-dms-4.2.0 on tacc-ranger FAIL
Date: December 5, 2011 11:55:38 AM CST
To: David Carver <[email protected]>
Cc: JP Navarro <[email protected]>
Hey David,
I'm not sure if there is a way to read the gridftp credentials remotely as
you can with GRAM so we can warn ahead of time. We have some tests that
execute:
openssl s_client -connect host:port
But I get a protocol error when I try to do that against gridftp servers.
JP, do you know?
Thanks,
Shava
On 12/5/11 9:48 AM, "Inca Inca" <[email protected]> wrote:
The following Inca test has FAILED:
RAN AT: 2011-12-05T09:48:07.000-0800
RAN ON: login3.ranger.tacc.utexas.edu
TEST: data.transfer.gridftp.unit.auth-dns
INPUT PARAMETERS: -dest=gridftp.ranger.tacc.teragrid.org:2811 -help=no
-log=0 -timeout=60 -verbose=1 -version=no
ERROR MESSAGE: globus-url-copy -len 1280 file:///dev/zero
gsiftp://129.114.50.166:2811//dev/null failed:
error: globus_ftp_client: the server responded with an error
530 530-globus_xio: Server side credential failure
530-globus_gsi_gssapi: Error with GSI credential
530-globus_gsi_gssapi: Error with gss credential handle
530-globus_credential: Error with credential: The host credential:
/etc/grid-security/hostcert.pem
530- with subject:
/C=US/O=UTAustin/OU=TACC/CN=gridftp2.ranger.tacc.utexas.edu
530- has expired xx minutes ago.
530-
530 End.
gridftp.ranger.tacc.teragrid.org mapped to the following ips:
129.114.50.166
details at
http://inca.xsede.org/inca/jsp/instance.jsp?xsl=instance.xsl&nickname=grid
ftp-nonstriped-auth-dms-4.2.0&resource=tacc-ranger&collected=2011-12-05T09
:48:07.000-08:00
