From the GSSAPI level, this will get the cert from a partially established
context (after the first init_sec_context() with a token from the server):
static gss_OID_desc gss_ext_x509_cert_chain_oid_desc =
{11, "\x2b\x06\x01\x04\x01\x9b\x50\x01\x01\x01\x08"};
gss_OID_desc * gss_ext_x509_cert_chain_oid =
&gss_ext_x509_cert_chain_oid_desc;
gss_buffer_set_t buffers;
OM_uint32 major_status, minor_status;
const unsigned char * cert_der;
X509 * x509;
gss_inquire_sec_context_by_oid(
&minor_status,
init_ctx,
gss_ext_x509_cert_chain_oid,
&buffers);
cert_der = buffers->elements[0].value;
cert = d2i_X509(NULL, &cert_der, buffers->elements[0].length);
I'm not sure about the ftp client part.
Joe
On Dec 6, 2011, at 1:05 AM, Michael Link wrote:
> To do it as a proper feature would involve extra api at the client library
> and gssapi layers that I don't think is worth the trouble. However, it would
> be really simple to hack something in yourself that would dump out the last
> server cert that the client connected to, when the subject doesn't match.
>
> This snippet placed at gsi/gssapi/source/library/init_sec_context.c:308 (just
> after the subject mismatch error gets printed) will do just that:
>
> {
> X509 * xxcert;
> FILE * xxfile;
>
> xxfile = fopen("/tmp/last_cert", "w");
> globus_gsi_cred_get_cert(
> context->peer_cred_handle->cred_handle, &xxcert);
> PEM_write_X509(xxfile, xxcert);
> fclose(xxfile);
> }
>
> Then the cert can be prodded with grid-cert-info or any other x509 tools you
> like. You could do something like set the filename in an env var and only
> dump the cert if the env is set.
>
> Mike
>
> On 12/5/2011 4:56 PM, [email protected] wrote:
>> Looks like there is no way to see other cert attributes such as expiration
>> daten right?
>>
>> Since that sort of information has to be available to the ssl client, could
>> we put in a feature request for globus-url-copy to have an option to display
>> all the ssl x.509 information it can?
>>
>> JP
>> Sent via BlackBerry from T-Mobile
>>
>> -----Original Message-----
>> From: Eric Blau<[email protected]>
>> Date: Mon, 5 Dec 2011 15:01:19
>> To: JP Navarro<[email protected]>
>> Cc: Lukasz Lacinski<[email protected]>; Stu
>> Martin<[email protected]>;<[email protected]>; Mike
>> Link<[email protected]>
>> Subject: Re: Is there a way to retrieve a GridFTP's x.509 certificate
>> information
>>
>> I just chatted with Mike Link, and, while he didn't have an immediate full
>> solution, he did
>> mention a couple of ways to get some information.
>>
>> If a host does not have certificates in place for its gridftp server, it
>> will give an error if you
>> connect (with telnet or netcat) and issue "auth gssapi". If it does have a
>> certificate, it will give a "334" response:
>>
>> [eblau@forge ~]$ telnet grid-forge.ncsa.xsede.org 2812
>> Trying 141.142.164.101...
>> Connected to forge.ncsa.illinois.edu (141.142.164.101).
>> Escape character is '^]'.
>> 220 GridFTP Server 2.8 (gcc64, 1217607445-63) [Globus Toolkit 5.0.4] -
>> Running in Non-Striped Mode. ready.
>> auth gssapi
>> 334 Using authentication type; ADAT must follow.
>>
>> I think that this method would issue an error if the certificate was invalid
>> (expired).
>>
>>
>>
>> Also, you can get globus-url-copy to divulge the subject name of the gridftp
>> server certificate by specifying a subject with -s that you know is
>> incorrect, and watching the error message:
>>
>> [eblau@forge ~]$ globus-url-copy -v -s
>> "/DC=org/DC=doegrids/OU=People/CN=Eric Blau 216112/CN=1981729001"
>> gsiftp://grid-forge.ncsa.xsede.org:2812/etc/group ./foobar
>> Source: gsiftp://grid-forge.ncsa.xsede.org:2812/etc/
>> Dest: file:///uf/ncsa/eblau/./
>> group -> foobar
>>
>> error: globus_ftp_control: gss_init_sec_context failed
>> GSS Major Status: Unexpected Gatekeeper or Service Name
>> globus_gsi_gssapi: Authorization denied: The name of the remote entity
>> (/C=US/O=National Center for Supercomputing
>> Applications/OU=Services/CN=forge.ncsa.illinois.edu), and the expected name
>> for the remote entity (/DC=org/DC=doegrids/OU=People/CN=Eric Blau
>> 216112/CN=1981729001) do not match
>>
>>
>> Not sure if this solves the problem, but thought I'd pass the information
>> along.
>>
>> Eric
>>
>>
>> ----- Original Message -----
>>> XSEDE would like its monitoring system (Inca) to access information
>>> about a GridFTP server's X.509 certificate.
>>>
>>> Is there a way to interact with a GridFTP server and retrieve server
>>> certificate information?
>>>
>>> Thanks,
>>>
>>> JP
>>>
>>> Begin forwarded message:
>>>
>>>> From: "Smallen, Shava"<[email protected]>
>>>> Subject: FW: Inca XSEDE Notification:
>>>> gridftp-nonstriped-auth-dms-4.2.0 on tacc-ranger FAIL
>>>> Date: December 5, 2011 11:55:38 AM CST
>>>> To: David Carver<[email protected]>
>>>> Cc: JP Navarro<[email protected]>
>>>>
>>>> Hey David,
>>>>
>>>> I'm not sure if there is a way to read the gridftp credentials
>>>> remotely as
>>>> you can with GRAM so we can warn ahead of time. We have some tests
>>>> that
>>>> execute:
>>>>
>>>> openssl s_client -connect host:port
>>>>
>>>> But I get a protocol error when I try to do that against gridftp
>>>> servers.
>>>> JP, do you know?
>>>>
>>>> Thanks,
>>>> Shava
>>>>
>>>> On 12/5/11 9:48 AM, "Inca Inca"<[email protected]> wrote:
>>>>
>>>>> The following Inca test has FAILED:
>>>>>
>>>>> RAN AT: 2011-12-05T09:48:07.000-0800
>>>>>
>>>>> RAN ON: login3.ranger.tacc.utexas.edu
>>>>>
>>>>> TEST: data.transfer.gridftp.unit.auth-dns
>>>>>
>>>>> INPUT PARAMETERS: -dest=gridftp.ranger.tacc.teragrid.org:2811
>>>>> -help=no
>>>>> -log=0 -timeout=60 -verbose=1 -version=no
>>>>>
>>>>> ERROR MESSAGE: globus-url-copy -len 1280 file:///dev/zero
>>>>> gsiftp://129.114.50.166:2811//dev/null failed:
>>>>> error: globus_ftp_client: the server responded with an error
>>>>> 530 530-globus_xio: Server side credential failure
>>>>> 530-globus_gsi_gssapi: Error with GSI credential
>>>>> 530-globus_gsi_gssapi: Error with gss credential handle
>>>>> 530-globus_credential: Error with credential: The host credential:
>>>>> /etc/grid-security/hostcert.pem
>>>>> 530- with subject:
>>>>> /C=US/O=UTAustin/OU=TACC/CN=gridftp2.ranger.tacc.utexas.edu
>>>>> 530- has expired xx minutes ago.
>>>>> 530-
>>>>> 530 End.
>>>>>
>>>>>
>>>>>
>>>>> gridftp.ranger.tacc.teragrid.org mapped to the following ips:
>>>>> 129.114.50.166
>>>>>
>>>>>
>>>>>
>>>>> details at
>>>>> http://inca.xsede.org/inca/jsp/instance.jsp?xsl=instance.xsl&nickname=grid
>>>>> ftp-nonstriped-auth-dms-4.2.0&resource=tacc-ranger&collected=2011-12-05T09
>>>>> :48:07.000-08:00
>>>>>
>>>>
