Andrea Turli wrote:
Thanks Vincenzo. Now it's clear.
Unfortunately, the problem here is that I get this "handshake failure"
fault during an axis invocation from inside globus service in a GT4
container towards the VOMS server.
How can I set this low-lewel openssl parameter (CAPath) for this axis
invocation?
No idea. But why, does it call openssl ? You can see I do not have
much experience with it :)
Moreover a generic GET HTTPS call from inside the same GT4 service
works correctly. For this reason I think that "globus" overwrites in
some sense the standard SSL behavior (cog ?). Is it possible?
I expect it does, otherwise legacy proxies could not work. But here it
is better if Tom takes charge of it.
Ciao,
Vincenzo
Andrea
On Thu, Feb 26, 2009 at 1:47 PM, Vincenzo Ciaschini
<vincenzo.ciasch...@cnaf.infn.it> wrote:
Andrea Turli wrote:
I don't know if this will answer you're questions but I've tried these
three commands:
$ openssl verify -CApath /etc/grid-security/certificates -purpose
sslclient /etc/grid-security/containercert.pem
/etc/grid-security/containercert.pem: OK
$ openssl verify -purpose sslclient /etc/grid-security/containercert.pem
/etc/grid-security/containercert.pem:
/C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
error 20 at 0 depth lookup:unable to get local issuer certificate
The difference here is the missing -CApath in the second command, which
confirms the act that you did not put hem in /certs instead.
In this situation, all your openssl subcommands should specify the -CApath
option if that option is available. For example, verify, s_client and
s_server should, x509 should not.
Which means, retry this command:
openssl s_client -CApath /etc/grid-security/certificates -connect
localhost:443
instead of just:
openssl s_client -connect localhost:443
Ciao,
Vincenzo
Wnat could be the solution?
Andrea
On Thu, Feb 26, 2009 at 11:35 AM, Vincenzo Ciaschini
<vincenzo.ciasch...@cnaf.infn.it> wrote:
Vincenzo Ciaschini wrote:
Tom Scavo wrote:
On Wed, Feb 25, 2009 at 10:23 AM, Andrea Turli <andrea.tu...@eng.it>
wrote:
This command also
openssl s_client -connect localhost:443
doesn't work
This is the stacktrace I can see:
CONNECTED(00000003)
depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it
verify error:num=21:unable to verify the first certificate
verify return:1
20978:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1046:SSL alert number 42
20978:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:
This error trace seem to hint to the fact that OpenSSL could not find
the
CA certificate of the grids16.eng.it host cert in the CA store. What is
the
default value of -CApath when one does not specify it?
It is '/certs'. I assume you do not have it, right?
Are you sure you have the CA certificate installed?
Ciao,
Vincenzo
