Hi I tried debugging this issue on client side, but no luck so far.
So, I decided to figure out the hang on Server Side (in Java)This is what is happening on server side: (I have included relevant code)
- once server receives request from client, it gets out of the accept() method call and forks a client thread (passes the socket as an argument)
server = new ServerSocket(port); socket = server.accept(); sazInit=new SAZInit(socket,confObject); SAZClientThread sazClientThread=new SAZClientThread(sazInit); sazClientThread.start();- within this client thread, the first thing it does is obtain an ExtendedGSSContext (using the servers host cert and host key) and passes it as an argument to another function "getGsiServerSocket " . I have attached file called ANAM.java which contains these functions.
context = anamObject .getGsiServerContext (confObject.SAZ_SERVER_CERT,confObject.SAZ_SERVER_KEY);
clientSocket = anamObject.getGsiServerSocket(clientSocket,context); I believe handshake is being done by function "getGsiClientSocket",(Socket clientSocket = GssSocketFactory.getDefault().createSocket(host, port, context);)
- then it tries to obtain a input and output stream using this client socket. This is where it hangs...
the code which does this is :
rwSocket=new ReadWriteSocket(clientSocket);
and I have attached file called ReadWriteSocket.java.
Basically this is what the constructor is doing..
public ReadWriteSocket(Socket clientSocket){
this.clientSocket=clientSocket;
try{
in=clientSocket.getInputStream();
out=clientSocket.getOutputStream();
reader =new BufferedReader(new
InputStreamReader(in));
writer=new PrintStream(out);
din=new DataInputStream(in);
dout=new DataOutputStream(out);
}catch(IOException e){
System.out.println("Exception "+e);
}
}
The code hangs on the getInputStream() function...
I have also tested that if I just try to get input and output stream
from the socket object (when it gets created by server and is passed
to the thread before globus libraries are used), i can get them.
So obviously globus libraries are modifying the client socket in a way that is causing the problem in case of proxy delegated 5 times and above..
At this stage, I am not sure what else I can try at my end and am looking forward for any support from the Globus folks..
If you need any other information, please let me know -Neha
ANAM.java
Description: Binary data
ReadWriteSocket.java
Description: Binary data
On Jul 31, 2008, at 11:40 AM, Charles Bacon wrote:
Though the bug references just one commit, it was part of a larger set of commits:http://www.globus.org/mail_archive/csec-commit/2007/06/threads.htmlYou'll need all three - the first one just adds the constant, but the next two are what actually pass the constant into the openssl commands to set the verify depth.Charles On Jul 31, 2008, at 11:24 AM, Neha Sharma wrote:Thanks Charles. Looks like I should be able to test this fix by defining #define GLOBUS_GSI_CALLBACK_VERIFY_DEPTH 100 in the globus_gsi_callback_constants.h file and rebuilding globus I will try it out and let you know how it goes.. -Neha On Jul 31, 2008, at 10:26 AM, Charles Bacon wrote:Openssl comes with a default "maximum depth" of a PKI chain it supports. That includes the CA and RA (if applicable). I suspect you might be hitting GT4.0.x's depth limit of 9. If you're using a CA+RA+Usercert+5 proxy, you might not be allowed to submit with delegation anymore because the delegation would take you to the depth limit.It's a compiled-in limit that you can change. I believe we had a bug open about the max depth ... yep, it's http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=4994 . It should be fixed in 4.2 to be 100 instead. You can probably take that patch back to 4.0.x if you need the limit increased there too.Charles On Jul 31, 2008, at 9:52 AM, Neha Sharma wrote:Hi AllI am wondering if someone can provide me with some information about the Globus function "globus_gss_assist_init_sec_context"We have an authorization service and this globus function is used for performing handshake between the service and the client.We observed that as long as the proxy is delegated up to 4 times, so that the DN is of form :subject : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/ CN=UID:nehaorsubject : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/ CN=UID:neha/CN=proxyorsubject : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/ CN=UID:neha/CN=proxy/CN=proxyorsubject : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/ CN=UID:neha/CN=proxy/CN=proxy/CN=proxyorsubject : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/ CN=UID:neha/CN=proxy/CN=proxy/CN=proxy/CN=proxyeverything works fine.However, if it is delegated 5th time and above, so that the DN in the proxy now has an extra "CN=proxy" , the client hangs on the handshake.(The DN looks like:subject : /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Neha Sharma/ CN=UID:neha/CN=proxy/CN=proxy/CN=proxy/CN=proxy/CN=proxy)The complete handshake function that is being used is below.As you can see, all it does is invoke the globus function "lobus_gss_assist_init_sec_context"So, I am wondering if there is some kind of limitation in this globus function, such as maximum length of user proxy or DNint handshake(gss_cred_id_t credential_handle){ OM_uint32 ret_flags=0;major_status = globus_gss_assist_init_sec_context(&minor_status, credential_handle, &global_context_handle, "GSI-NO- TARGET", // GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG, GSS_C_MUTUAL_FLAG,&ret_flags, &token_status,globus_gss_assist_token_get_fd, (void *) socket_in_out_file, globus_gss_assist_token_send_fd, (void *) socket_in_out_file);if(major_status != GSS_S_COMPLETE){logerr("Handshake Failed... major_status != GSS_S_COMPLETE");return(GSS_FAILED_HANDSHAKE); } return(GSS_SUCCESS); } Thanks -Neha
