-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Download with xroot protocol on EL9 fails from storage with root CA signed by SHA1 #2150
Comments
@vokac: what happens when you drop the I think I understand why xrootd fails -- but not why curl would succeed in this case. OpenSSL allows for special headers that indicate trust roots; on EL9, this allows a different policy to be applied to trust roots (CAs) versus host certificates (note: the security library used by Java - and dCache - doesn't understand these). So, if curl is getting a CA chain from the system, I'd expect the above to succeed whereas XRootD might be exclusively using OSG is solving this by shipping all CAs with the special header understood by OpenSSL (and then providing a separate RPM for sites with Java). |
Why do you think
It seems to me that instead of deploying special RPMs everywhere it would be much easier if IGTF drops CAs signed by SHA1, those that were not able to move away from SHA1 should not be really trusted... |
I just wanted to double check. Multiple IGTF CAs (particularly, those used by InCommon and GEANT) have alternate validation paths that allow them to accepted via system trust roots as well as IGTF. I'm not familiar with the DFN one. Just wanted to see if that was possibly explaining the difference with
It isn't my call. However, at the system level, SHA1-signed trust roots are accepted on EL9, so I don't find IGTF's decision unreasonable. The "special" RPM mentioned simply matches the code paths for system CAs. |
Where is mentioned RPM? I would like to see what is inside to understand details. |
Here's our Koji page for the build: https://koji.osg-htc.org/koji/buildinfo?buildID=16997 and a download link: https://kojihub2000.chtc.wisc.edu/kojifiles/packages/osg-ca-certs/1.115/2.osg36.el9/noarch/osg-ca-certs-1.115-2.osg36.el9.noarch.rpm Basically we took all the certificate files for SHA1-signed certificates and duplicated the contents, changing the headers on the first copy from BEGIN/END CERTIFICATE to BEGIN/END TRUSTED CERTIFICATE. So the files would look like
Here is the script we used to make the changes: https://github.com/opensciencegrid/osg-certificates/blob/d00157d726c3135083dbeab4f9f838e088e28884/add-trusted-sha1-certs.sh |
Do you know why this update is not applied directly by IGTF when they publish new certificate bundle? Any side effects of this workaround? |
It does not work for CANL-Java --> dCache + StoRM. |
Does this mean that default java |
That looks quite likely indeed. |
This is a mess ... so we have to tell users not to use recommended I would still like to know why XRootD client |
It is possible for voms-proxy-init2 to become fully supported again, for several reasons. |
Why indeed! This question sent me down a long rabbit hole. Findings:
So, it appears that the OS's opinion is curl's behavior is correct and the failures can be completely fixed within the xrootd client code base. Further, we need to go back and figure out how to reproduce other failures because either (a) they were misattributed or (b) OpenSSL patches in EL9 have since worked around them. |
This is something that can be tuned in the configuration. Please see the Please note that the configuration can also be affected by an environment variable as shown here: xrootd/src/XrdSecgsi/XrdSecProtocolgsi.cc Lines 2418 to 2421 in 333a5dd
The configuration is set here: xrootd/src/XrdSecgsi/XrdSecProtocolgsi.cc Lines 455 to 463 in 333a5dd
and the actual checks happen here: xrootd/src/XrdSecgsi/XrdSecProtocolgsi.cc Lines 4528 to 4604 in 333a5dd
|
I think that the check done here in line 4595 needs to be updated: xrootd/src/XrdSecgsi/XrdSecProtocolgsi.cc Lines 4593 to 4603 in 333a5dd
It should be like this one: xrootd/src/XrdSecgsi/XrdSecProtocolgsi.cc Lines 5183 to 5185 in 333a5dd
I will prepare a patch for this. |
@amadio - I'm not quite understanding the comments in the code:
What does "verify if self-signed; warn if not" mean? Don't we want the opposite, we verify signatures until we hit a self-signed CA? |
This is the check level for the CA itself, the rest of the chain should always be checked. |
As described in GGUS:164619 transfers using xroot protocol fails
with default crypto policy on EL9 and it is necessary to apply workaround. This is different behavior compared to HTTPS download done with
curl
, e.g.People mentioned that it is not really useful to validate signature for self-signed Root CA so and that's why it should not matter which hash function was used to sign Root CA.
The text was updated successfully, but these errors were encountered: