It would be interesting if there was a way to retrieve the entire raw public
x.509 certificate using the GridFTP protocol itself..
On Dec 6, 2011, at 5:26 AM, Joseph Bester wrote:
> From the GSSAPI level, this will get the cert from a partially established
> context (after the first init_sec_context() with a token from the server):
>
> static gss_OID_desc gss_ext_x509_cert_chain_oid_desc =
> {11, "\x2b\x06\x01\x04\x01\x9b\x50\x01\x01\x01\x08"};
> gss_OID_desc * gss_ext_x509_cert_chain_oid =
> &gss_ext_x509_cert_chain_oid_desc;
>
> gss_buffer_set_t buffers;
> OM_uint32 major_status, minor_status;
> const unsigned char * cert_der;
> X509 * x509;
>
> gss_inquire_sec_context_by_oid(
> &minor_status,
> init_ctx,
> gss_ext_x509_cert_chain_oid,
> &buffers);
>
> cert_der = buffers->elements[0].value;
>
> cert = d2i_X509(NULL, &cert_der, buffers->elements[0].length);
>
> I'm not sure about the ftp client part.
>
> Joe
>
> On Dec 6, 2011, at 1:05 AM, Michael Link wrote:
>
>> To do it as a proper feature would involve extra api at the client library
>> and gssapi layers that I don't think is worth the trouble. However, it would
>> be really simple to hack something in yourself that would dump out the last
>> server cert that the client connected to, when the subject doesn't match.
>>
>> This snippet placed at gsi/gssapi/source/library/init_sec_context.c:308
>> (just after the subject mismatch error gets printed) will do just that:
>>
>> {
>> X509 * xxcert;
>> FILE * xxfile;
>>
>> xxfile = fopen("/tmp/last_cert", "w");
>> globus_gsi_cred_get_cert(
>> context->peer_cred_handle->cred_handle, &xxcert);
>> PEM_write_X509(xxfile, xxcert);
>> fclose(xxfile);
>> }
>>
>> Then the cert can be prodded with grid-cert-info or any other x509 tools you
>> like. You could do something like set the filename in an env var and only
>> dump the cert if the env is set.
>>
>> Mike
>>
>> On 12/5/2011 4:56 PM, [email protected] wrote:
>>> Looks like there is no way to see other cert attributes such as expiration
>>> daten right?
>>>
>>> Since that sort of information has to be available to the ssl client, could
>>> we put in a feature request for globus-url-copy to have an option to
>>> display all the ssl x.509 information it can?
>>>
>>> JP
>>> Sent via BlackBerry from T-Mobile
>>>
>>> -----Original Message-----
>>> From: Eric Blau<[email protected]>
>>> Date: Mon, 5 Dec 2011 15:01:19
>>> To: JP Navarro<[email protected]>
>>> Cc: Lukasz Lacinski<[email protected]>; Stu
>>> Martin<[email protected]>;<[email protected]>; Mike
>>> Link<[email protected]>
>>> Subject: Re: Is there a way to retrieve a GridFTP's x.509 certificate
>>> information
>>>
>>> I just chatted with Mike Link, and, while he didn't have an immediate full
>>> solution, he did
>>> mention a couple of ways to get some information.
>>>
>>> If a host does not have certificates in place for its gridftp server, it
>>> will give an error if you
>>> connect (with telnet or netcat) and issue "auth gssapi". If it does have a
>>> certificate, it will give a "334" response:
>>>
>>> [eblau@forge ~]$ telnet grid-forge.ncsa.xsede.org 2812
>>> Trying 141.142.164.101...
>>> Connected to forge.ncsa.illinois.edu (141.142.164.101).
>>> Escape character is '^]'.
>>> 220 GridFTP Server 2.8 (gcc64, 1217607445-63) [Globus Toolkit 5.0.4] -
>>> Running in Non-Striped Mode. ready.
>>> auth gssapi
>>> 334 Using authentication type; ADAT must follow.
>>>
>>> I think that this method would issue an error if the certificate was
>>> invalid (expired).
>>>
>>>
>>>
>>> Also, you can get globus-url-copy to divulge the subject name of the
>>> gridftp server certificate by specifying a subject with -s that you know is
>>> incorrect, and watching the error message:
>>>
>>> [eblau@forge ~]$ globus-url-copy -v -s
>>> "/DC=org/DC=doegrids/OU=People/CN=Eric Blau 216112/CN=1981729001"
>>> gsiftp://grid-forge.ncsa.xsede.org:2812/etc/group ./foobar
>>> Source: gsiftp://grid-forge.ncsa.xsede.org:2812/etc/
>>> Dest: file:///uf/ncsa/eblau/./
>>> group -> foobar
>>>
>>> error: globus_ftp_control: gss_init_sec_context failed
>>> GSS Major Status: Unexpected Gatekeeper or Service Name
>>> globus_gsi_gssapi: Authorization denied: The name of the remote entity
>>> (/C=US/O=National Center for Supercomputing
>>> Applications/OU=Services/CN=forge.ncsa.illinois.edu), and the expected name
>>> for the remote entity (/DC=org/DC=doegrids/OU=People/CN=Eric Blau
>>> 216112/CN=1981729001) do not match
>>>
>>>
>>> Not sure if this solves the problem, but thought I'd pass the information
>>> along.
>>>
>>> Eric
>>>
>>>
>>> ----- Original Message -----
>>>> XSEDE would like its monitoring system (Inca) to access information
>>>> about a GridFTP server's X.509 certificate.
>>>>
>>>> Is there a way to interact with a GridFTP server and retrieve server
>>>> certificate information?
>>>>
>>>> Thanks,
>>>>
>>>> JP
>>>>
>>>> Begin forwarded message:
>>>>
>>>>> From: "Smallen, Shava"<[email protected]>
>>>>> Subject: FW: Inca XSEDE Notification:
>>>>> gridftp-nonstriped-auth-dms-4.2.0 on tacc-ranger FAIL
>>>>> Date: December 5, 2011 11:55:38 AM CST
>>>>> To: David Carver<[email protected]>
>>>>> Cc: JP Navarro<[email protected]>
>>>>>
>>>>> Hey David,
>>>>>
>>>>> I'm not sure if there is a way to read the gridftp credentials
>>>>> remotely as
>>>>> you can with GRAM so we can warn ahead of time. We have some tests
>>>>> that
>>>>> execute:
>>>>>
>>>>> openssl s_client -connect host:port
>>>>>
>>>>> But I get a protocol error when I try to do that against gridftp
>>>>> servers.
>>>>> JP, do you know?
>>>>>
>>>>> Thanks,
>>>>> Shava
>>>>>
>>>>> On 12/5/11 9:48 AM, "Inca Inca"<[email protected]> wrote:
>>>>>
>>>>>> The following Inca test has FAILED:
>>>>>>
>>>>>> RAN AT: 2011-12-05T09:48:07.000-0800
>>>>>>
>>>>>> RAN ON: login3.ranger.tacc.utexas.edu
>>>>>>
>>>>>> TEST: data.transfer.gridftp.unit.auth-dns
>>>>>>
>>>>>> INPUT PARAMETERS: -dest=gridftp.ranger.tacc.teragrid.org:2811
>>>>>> -help=no
>>>>>> -log=0 -timeout=60 -verbose=1 -version=no
>>>>>>
>>>>>> ERROR MESSAGE: globus-url-copy -len 1280 file:///dev/zero
>>>>>> gsiftp://129.114.50.166:2811//dev/null failed:
>>>>>> error: globus_ftp_client: the server responded with an error
>>>>>> 530 530-globus_xio: Server side credential failure
>>>>>> 530-globus_gsi_gssapi: Error with GSI credential
>>>>>> 530-globus_gsi_gssapi: Error with gss credential handle
>>>>>> 530-globus_credential: Error with credential: The host credential:
>>>>>> /etc/grid-security/hostcert.pem
>>>>>> 530- with subject:
>>>>>> /C=US/O=UTAustin/OU=TACC/CN=gridftp2.ranger.tacc.utexas.edu
>>>>>> 530- has expired xx minutes ago.
>>>>>> 530-
>>>>>> 530 End.
>>>>>>
>>>>>>
>>>>>>
>>>>>> gridftp.ranger.tacc.teragrid.org mapped to the following ips:
>>>>>> 129.114.50.166
>>>>>>
>>>>>>
>>>>>>
>>>>>> details at
>>>>>> http://inca.xsede.org/inca/jsp/instance.jsp?xsl=instance.xsl&nickname=grid
>>>>>> ftp-nonstriped-auth-dms-4.2.0&resource=tacc-ranger&collected=2011-12-05T09
>>>>>> :48:07.000-08:00
>>>>>>
>>>>>
>
