Bug#911248: marked as done (globus-gass-copy-progs: copy fails with some SSL errors)

Debian Bug Tracking System Wed, 31 Oct 2018 06:00:41 -0700

Your message dated Wed, 31 Oct 2018 13:47:30 +0100
with message-id <[email protected]>
and subject line Re: Bug#911248: globus-gass-copy-progs: copy fails with some 
SSL errors
has caused the Debian Bug report #911248,
regarding globus-gass-copy-progs: copy fails with some SSL errors
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
911248: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911248
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: globus-gass-copy-progs
Version: 10.3-1
Severity: important


Hi.

The following might be some issue with current libssl versions?
$ globus-url-copy -dbg -vb 
gsiftp://lcg-lrz-dc09.grid.lrz.de/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasdatadisk/rucio/data15_13TeV/8f/66/DRAW_RPVLL.10929329._031512.pool.root.1
 foo 
Source: 
gsiftp://lcg-lrz-dc09.grid.lrz.de/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasdatadisk/rucio/data15_13TeV/8f/66/
Dest:   file:///home/calestyo/
  DRAW_RPVLL.10929329._031512.pool.root.1  ->  foo
debug: starting to get 
gsiftp://lcg-lrz-dc09.grid.lrz.de/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasdatadisk/rucio/data15_13TeV/8f/66/DRAW_RPVLL.10929329._031512.pool.root.1
debug: connecting to 
gsiftp://lcg-lrz-dc09.grid.lrz.de/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasdatadisk/rucio/data15_13TeV/8f/66/DRAW_RPVLL.10929329._031512.pool.root.1

debug: response from 
gsiftp://lcg-lrz-dc09.grid.lrz.de/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasdatadisk/rucio/data15_13TeV/8f/66/DRAW_RPVLL.10929329._031512.pool.root.1:
220 GSI FTP door ready

debug: authenticating with 
gsiftp://lcg-lrz-dc09.grid.lrz.de/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasdatadisk/rucio/data15_13TeV/8f/66/DRAW_RPVLL.10929329._031512.pool.root.1
debug: fault on connection to 
gsiftp://lcg-lrz-dc09.grid.lrz.de/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasdatadisk/rucio/data15_13TeV/8f/66/DRAW_RPVLL.10929329._031512.pool.root.1:
 globus_ftp_control: gss_init_sec_context failed
debug: data callback, error globus_ftp_control: gss_init_sec_context failed, 
buffer 0x7f01aea93010, length 0, offset=0, eof=true
debug: operation complete

error: globus_ftp_control: gss_init_sec_context failed
GSS failure: 
GSS Major Status: General failure
GSS Minor Status Error Chain:
globus_gsi_gssapi: Error with gss context
globus_gsi_gssapi: Error with gss credential handle
globus_gsi_gssapi: Error with openssl: Couldn't set the certificate to be used 
for the SSL context
OpenSSL Error: ../ssl/ssl_rsa.c:310: in library: SSL routines, function 
SSL_CTX_use_certificate: ee key too small


Both, client and server certs are current ones as issued within the grid.

Any ideas?

Thanks,
Chris.



-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages globus-gass-copy-progs depends on:
ii  libc6                     2.27-6
ii  libglobus-common0         18.0-1
ii  libglobus-ftp-client2     9.1-1
ii  libglobus-gass-copy2      10.3-1
ii  libglobus-gass-transfer2  9.0-1
ii  libglobus-gsi-sysconfig1  9.1-1
ii  libglobus-gssapi-error2   6.0-1
ii  libglobus-gssapi-gsi4     14.7-1
ii  libglobus-io3             12.1-1
ii  libltdl7                  2.4.6-6
ii  libssl1.1                 1.1.1-1

globus-gass-copy-progs recommends no packages.

globus-gass-copy-progs suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

ons 2018-10-17 klockan 17:37 +0200 skrev Christoph Anton Mitterer:
> Hi.
> 
> The following might be some issue with current libssl versions?
> $ globus-url-copy -dbg -vb 
> gsiftp://lcg-lrz-dc09.grid.lrz.de/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasdatadisk/rucio/data15_13TeV/8f/66/DRAW_RPVLL.10929329._031512.pool.root.1
>  foo 
> Source: 
> gsiftp://lcg-lrz-dc09.grid.lrz.de/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasdatadisk/rucio/data15_13TeV/8f/66/
> Dest:   file:///home/calestyo/
>   DRAW_RPVLL.10929329._031512.pool.root.1  ->  foo
> debug: starting to get 
> gsiftp://lcg-lrz-dc09.grid.lrz.de/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasdatadisk/rucio/data15_13TeV/8f/66/DRAW_RPVLL.10929329._031512.pool.root.1
> debug: connecting to 
> gsiftp://lcg-lrz-dc09.grid.lrz.de/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasdatadisk/rucio/data15_13TeV/8f/66/DRAW_RPVLL.10929329._031512.pool.root.1
> 
> debug: response from 
> gsiftp://lcg-lrz-dc09.grid.lrz.de/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasdatadisk/rucio/data15_13TeV/8f/66/DRAW_RPVLL.10929329._031512.pool.root.1:
> 220 GSI FTP door ready
> 
> debug: authenticating with 
> gsiftp://lcg-lrz-dc09.grid.lrz.de/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasdatadisk/rucio/data15_13TeV/8f/66/DRAW_RPVLL.10929329._031512.pool.root.1
> debug: fault on connection to 
> gsiftp://lcg-lrz-dc09.grid.lrz.de/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasdatadisk/rucio/data15_13TeV/8f/66/DRAW_RPVLL.10929329._031512.pool.root.1:
>  globus_ftp_control: gss_init_sec_context failed
> debug: data callback, error globus_ftp_control: gss_init_sec_context failed, 
> buffer 0x7f01aea93010, length 0, offset=0, eof=true
> debug: operation complete
> 
> error: globus_ftp_control: gss_init_sec_context failed
> GSS failure: 
> GSS Major Status: General failure
> GSS Minor Status Error Chain:
> globus_gsi_gssapi: Error with gss context
> globus_gsi_gssapi: Error with gss credential handle
> globus_gsi_gssapi: Error with openssl: Couldn't set the certificate to be 
> used for the SSL context
> OpenSSL Error: ../ssl/ssl_rsa.c:310: in library: SSL routines, function 
> SSL_CTX_use_certificate: ee key too small
> 
> 
> Both, client and server certs are current ones as issued within the grid.
> 
> Any ideas?
> 
> Thanks,
> Chris.

This is not really a bug, but a consequence of the more strict security
defaults in openssl 1.1.1. With the new defaults an RSA key with a
smaller length than 2048 bits will be rejected during a TLS handshake.

voms-proxy-init by default creates proxies with a 1024 bit key length,
so these will be rejected. I can reproduce the error you report with
such a proxy.

However, if I create a voms proxy with a 2048 bit key it works:

voms-proxy-init --voms atlas --bits 2048

The grid-proxy-init command has been updated and now by default
produces proxies with a 2048 bit key. Though this command can not
produce proxies with a voms extension.

The voms-proxy-init command should be updated the same way to create
2048 bit key proxies by default. But until that is done you can
explicitly request a 2048 bit key using the --bits 2048 command line
option.

This is not a bug in globus-url-copy, so I close this bug.

        Mattias

signature.asc
Description: This is a digitally signed message part

--- End Message ---

Bug#911248: marked as done (globus-gass-copy-progs: copy fails with some SSL errors)

Reply via email to