I don't think this is an OpenSSL 1.0 problem. I see the same error with a fresh GT 5.0.4 install on MacOS 10.6.8 when using a legacy proxy:
$ openssl version OpenSSL 0.9.8r 8 Feb 2011 $ grid-proxy-init -q Enter GRID pass phrase: $ globus-url-copy /tmp/one gsiftp://localhost/tmp/two $ grid-proxy-init -q -old Enter GRID pass phrase: $ globus-url-copy /tmp/one gsiftp://localhost/tmp/two error: globus_ftp_client: the server responded with an error 530 530-globus_xio: Authentication Error 530-OpenSSL Error: /SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_srvr.c:2602: in library: SSL routines, function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned 530-globus_gsi_callback_module: Could not verify credential 530-globus_gsi_callback_module: Can't get the local trusted CA certificate: Cannot find trusted CA certificate with hash 164e606c in /etc/grid-security/certificates 530 End. I get the same error from MyProxy and GSI-OpenSSH when using legacy proxies, so it seems to be in the underlying GSI libraries. On Dec 5, 2011, at 10:46 AM, Joseph Bester wrote: > Could this be a different OpenSSL version (1.0 vs 0.9.x) requiring a > different CA hash? If so, > there's a tool in GT5 to work around that. > > See http://www.globus.org/toolkit/docs/5.0/5.0.4/security/gsic/pi/#id2578254 > > Joe > > On Dec 5, 2011, at 8:58 AM, Sebastian Czechowski wrote: > >> Hello, >> >> Does anyone has an answer to this one? >> >> Regards, >> Sebastian >> >> -------- Original Message -------- >> Subject: [gt-user] Old-style proxies support >> Date: Mon, 14 Nov 2011 10:18:05 +0100 >> From: Sebastian Czechowski <sebastian.czechow...@gridwisetech.com> >> To: gt-user@lists.globus.org <gt-user@lists.globus.org> >> >> >> >> Hello all, >> >> Dennis van Dok from IGE Project has sent a the following question: >> >> Will old-style proxies remain supported in current and upcoming Globus >> products? Currently it seems that they aren't (see below). >> ------------------------------------------------------------------------ >> >> There is a failure in the authentication layer of the client-server >> interaction between a recent version of the globus client tools and a >> recent version of the globus services, when using classic (globus) proxies. >> >> Example: voms classic proxy, globus-url-copy from globus-gass-copy-5.7-1 >> on Ubuntu 11.04, with globus-gridftp-server-progs-3.28-3.el5 on CentOS 5. >> >> $ voms-proxy-info -all >> subject : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok/CN=proxy >> issuer : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok >> identity : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok >> type : proxy >> strength : 1024 bits >> path : /user/dennisvd/ige-voms-proxy-classic >> timeleft : 11:47:33 >> === VO ige-project.eu extension information === >> VO : ige-project.eu >> subject : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok >> issuer : >> /C=DE/O=GermanGrid/OU=TU-Dortmund/CN=host/vomrs01.grid.tu-dortmund.de >> attribute : /ige-project.eu/Role=NULL/Capability=NULL >> timeleft : 11:47:33 >> uri : vomrs01.grid.tu-dortmund.de:15011 >> >> $ globus-url-copy gsiftp://ve.nikhef.nl/etc/grid-security/grid-mapfile >> `pwd`/ >> >> error: globus_ftp_client: the server responded with an error >> 530 530-globus_xio: Authentication Error >> 530-OpenSSL Error: s3_srvr.c:2518: in library: SSL routines, function >> SSL3_GET_CLIENT_CERTIFICATE: no certificate returned >> 530-globus_gsi_callback_module: Could not verify credential >> 530-globus_gsi_callback_module: Can't get the local trusted CA >> certificate: Cannot find trusted CA certificate with hash 8d759796 in >> /etc/grid-security/certificates >> 530 End. >> >> Copying the same proxy file to a machine with a gLite 3.2.8 installation >> (globus-url-copy -version says globus-url-copy: 3.23) and repeating the >> command works. >> >> Initiating the voms proxy to use an RFC style proxy also works: >> >> $ voms-proxy-init --bits 1024 --rfc --voms ige-project.eu >> >> $ voms-proxy-info -all >> subject : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok/CN=122854297 >> issuer : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok >> identity : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok >> type : RFC compliant proxy >> strength : 1024 bits >> path : /private/home/dennis/src/globustest/ige-voms-proxy-rfc >> timeleft : 11:43:07 >> === VO ige-project.eu extension information === >> VO : ige-project.eu >> subject : /O=dutchgrid/O=users/O=nikhef/CN=Dennis van Dok >> issuer : >> /C=DE/O=GermanGrid/OU=TU-Dortmund/CN=host/vomrs01.grid.tu-dortmund.de >> attribute : /ige-project.eu/Role=NULL/Capability=NULL >> timeleft : 11:43:06 >> uri : vomrs01.grid.tu-dortmund.de:15011 >> >> Best regards, >> Sebastian Czechowski, IGE Project >> >> -- >> Sebastian Czechowski sebastian.czechow...@gridwisetech.com >> IT Project Coordinator >> GridwiseTech office/fax: +48 12 294 71 20 >> >> The Scalability Specialist www.gridwisetech.com >> --------------------------------------------------------------------
