openssl s_client doesn't work with a GridFTP server, as it doesn't understand the control channel protocol.
Eric ----- Original Message ----- > You can use openssl with the s_connect option to probe the (remote) > credential. > > Example: > > $ openssl s_client -connect cmsosgce3.fnal.gov:2119 -showcerts > -CApath /etc/grid-security/certificates -cert /tmp/x509up_u$UID > CONNECTED(00000003) > depth=2 /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root > CA 1 > verify return:1 > depth=1 /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA > 1 > verify return:1 > depth=0 /DC=org/DC=doegrids/OU=Services/CN=cmsosgce3.fnal.gov > verify return:1 > 9901:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown > ca:s3_pkt.c:1086:SSL alert number 48 > 9901:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > -Keith. > > At 12:17 PM -0600 12/5/11, JP Navarro wrote: > >XSEDE would like its monitoring system (Inca) to access information > >about a GridFTP server's X.509 certificate. > > > >Is there a way to interact with a GridFTP server and retrieve server > >certificate information? > > > >Thanks, > > > >JP > > > >Begin forwarded message: > > > >> From: "Smallen, Shava" <[email protected]> > >> Subject: FW: Inca XSEDE Notification: > >>gridftp-nonstriped-auth-dms-4.2.0 on tacc-ranger FAIL > >> Date: December 5, 2011 11:55:38 AM CST > >> To: David Carver <[email protected]> > >> Cc: JP Navarro <[email protected]> > >> > >> Hey David, > >> > >> I'm not sure if there is a way to read the gridftp credentials > >> remotely as > >> you can with GRAM so we can warn ahead of time. We have some tests > >> that > >> execute: > >> > >> openssl s_client -connect host:port > >> > >> But I get a protocol error when I try to do that against gridftp > >> servers. > >> JP, do you know? > >> > >> Thanks, > >> Shava > >> > >> On 12/5/11 9:48 AM, "Inca Inca" <[email protected]> wrote: > >> > >>> The following Inca test has FAILED: > >>> > >>> RAN AT: 2011-12-05T09:48:07.000-0800 > >>> > >>> RAN ON: login3.ranger.tacc.utexas.edu > >>> > >>> TEST: data.transfer.gridftp.unit.auth-dns > >>> > >>> INPUT PARAMETERS: -dest=gridftp.ranger.tacc.teragrid.org:2811 > >>> -help=no > >>> -log=0 -timeout=60 -verbose=1 -version=no > >>> > >>> ERROR MESSAGE: globus-url-copy -len 1280 file:///dev/zero > >>> gsiftp://129.114.50.166:2811//dev/null failed: > >>> error: globus_ftp_client: the server responded with an error > >>> 530 530-globus_xio: Server side credential failure > >>> 530-globus_gsi_gssapi: Error with GSI credential > >>> 530-globus_gsi_gssapi: Error with gss credential handle > >>> 530-globus_credential: Error with credential: The host > >>> credential: > >>> /etc/grid-security/hostcert.pem > >>> 530- with subject: > >>> /C=US/O=UTAustin/OU=TACC/CN=gridftp2.ranger.tacc.utexas.edu > >>> 530- has expired xx minutes ago. > >>> 530- > >>> 530 End. > >>> > >>> > >>> > >>> gridftp.ranger.tacc.teragrid.org mapped to the following ips: > >>> 129.114.50.166 > >>> > >>> > >>> > >>> details at > >>> > >>> http://inca.xsede.org/inca/jsp/instance.jsp?xsl=instance.xsl&nickname=grid > >>> > >>> ftp-nonstriped-auth-dms-4.2.0&resource=tacc-ranger&collected=2011-12-05T09 > >>> :48:07.000-08:00 > >>> > >>
