Re: [gt-user] Is there a way to retrieve a GridFTP's x.509 certificate information

[Michael Link]

To do it as a proper feature would involve extra api at the client 
library and gssapi layers that I don't think is worth the trouble. 
However, it would be really simple to hack something in yourself that 
would dump out the last server cert that the client connected to, when 
the subject doesn't match.

This snippet placed at gsi/gssapi/source/library/init_sec_context.c:308 
(just after the subject mismatch error gets printed) will do just that:

{
    X509 * xxcert;
    FILE * xxfile;

    xxfile = fopen("/tmp/last_cert", "w");
    globus_gsi_cred_get_cert(
        context->peer_cred_handle->cred_handle, &xxcert);
    PEM_write_X509(xxfile, xxcert);
    fclose(xxfile);
}

Then the cert can be prodded with grid-cert-info or any other x509 tools 
you like.  You could do something like set the filename in an env var 
and only dump the cert if the env is set.

Mike

On 12/5/2011 4:56 PM, nava...@mcs.anl.gov wrote:
Looks like there is no way to see other cert attributes such as expiration 
daten right?

Since that sort of information has to be available to the ssl client, could we 
put in a feature request for globus-url-copy to have an option to display all 
the ssl x.509 information it can?

JP
Sent via BlackBerry from T-Mobile

-----Original Message-----
From: Eric Blau<b...@mcs.anl.gov>
Date: Mon, 5 Dec 2011 15:01:19
To: JP Navarro<nava...@mcs.anl.gov>
Cc: Lukasz Lacinski<luk...@ci.uchicago.edu>; Stu 
Martin<smar...@mcs.anl.gov>;<gt-user@lists.globus.org>; Mike Link<ml...@mcs.anl.gov>
Subject: Re: Is there a way to retrieve a GridFTP's x.509 certificate
  information

I just chatted with Mike Link, and, while he didn't have an immediate full 
solution, he did
mention a couple of ways to get some information.

If a host does not have certificates in place for its gridftp server, it will 
give an error if you
connect (with telnet or netcat) and issue "auth gssapi".  If it does have a certificate, 
it will give a "334" response:

[eblau@forge ~]$ telnet grid-forge.ncsa.xsede.org 2812                  Trying 
141.142.164.101...
Connected to forge.ncsa.illinois.edu (141.142.164.101).
Escape character is '^]'.
220 GridFTP Server 2.8 (gcc64, 1217607445-63) [Globus Toolkit 5.0.4] - Running 
in Non-Striped Mode. ready.
auth gssapi
334 Using authentication type; ADAT must follow.

I think that this method would issue an error if the certificate was invalid 
(expired).



Also, you can get globus-url-copy to divulge the subject name of the gridftp 
server certificate by specifying a subject with -s that you know is incorrect, 
and watching the error message:

[eblau@forge ~]$ globus-url-copy -v -s "/DC=org/DC=doegrids/OU=People/CN=Eric Blau 
216112/CN=1981729001" gsiftp://grid-forge.ncsa.xsede.org:2812/etc/group ./foobar
Source: gsiftp://grid-forge.ncsa.xsede.org:2812/etc/
Dest:   file:///uf/ncsa/eblau/./
   group  ->   foobar

error: globus_ftp_control: gss_init_sec_context failed
GSS Major Status: Unexpected Gatekeeper or Service Name
globus_gsi_gssapi: Authorization denied: The name of the remote entity 
(/C=US/O=National Center for Supercomputing 
Applications/OU=Services/CN=forge.ncsa.illinois.edu), and the expected name for 
the remote entity (/DC=org/DC=doegrids/OU=People/CN=Eric Blau 
216112/CN=1981729001) do not match


Not sure if this solves the problem, but thought I'd pass the information along.

Eric


----- Original Message -----
XSEDE would like its monitoring system (Inca) to access information
about a GridFTP server's X.509 certificate.

Is there a way to interact with a GridFTP server and retrieve server
certificate information?

Thanks,

JP

Begin forwarded message:

From: "Smallen, Shava"<ssmal...@sdsc.edu>
Subject: FW: Inca XSEDE Notification:
gridftp-nonstriped-auth-dms-4.2.0 on tacc-ranger FAIL
Date: December 5, 2011 11:55:38 AM CST
To: David Carver<dcar...@tacc.utexas.edu>
Cc: JP Navarro<nava...@mcs.anl.gov>

Hey David,

I'm not sure if there is a way to read the gridftp credentials
remotely as
you can with GRAM so we can warn ahead of time. We have some tests
that
execute:

openssl s_client -connect host:port

But I get a protocol error when I try to do that against gridftp
servers.
JP, do you know?

Thanks,
Shava

On 12/5/11 9:48 AM, "Inca Inca"<i...@sdsc.edu>  wrote:

The following Inca test has FAILED:

RAN AT: 2011-12-05T09:48:07.000-0800

RAN ON: login3.ranger.tacc.utexas.edu

TEST: data.transfer.gridftp.unit.auth-dns

INPUT PARAMETERS: -dest=gridftp.ranger.tacc.teragrid.org:2811
-help=no
-log=0 -timeout=60 -verbose=1 -version=no

ERROR MESSAGE: globus-url-copy -len 1280 file:///dev/zero
gsiftp://129.114.50.166:2811//dev/null failed:
error: globus_ftp_client: the server responded with an error
530 530-globus_xio: Server side credential failure
530-globus_gsi_gssapi: Error with GSI credential
530-globus_gsi_gssapi: Error with gss credential handle
530-globus_credential: Error with credential: The host credential:
/etc/grid-security/hostcert.pem
530- with subject:
/C=US/O=UTAustin/OU=TACC/CN=gridftp2.ranger.tacc.utexas.edu
530- has expired xx minutes ago.
530-
530 End.



gridftp.ranger.tacc.teragrid.org mapped to the following ips:
129.114.50.166



details at
http://inca.xsede.org/inca/jsp/instance.jsp?xsl=instance.xsl&nickname=grid
ftp-nonstriped-auth-dms-4.2.0&resource=tacc-ranger&collected=2011-12-05T09
:48:07.000-08:00