What's the correct way to file dCache SRM bugs? Surely not to
email Timur? Owen?
-j
-----Original Message-----
From: GRIDPP2: Deployment and support of SRM and local storage
management [mailto:[log in to unmask]]On Behalf Of Greig A
Cowan
Sent: 13 September 2006 16:52
To: [log in to unmask]
Subject: Re: srmcp (security) bug
Jens,
So what is the next step? Do you escalate this up to Timur at FNAL?
Greig
On Wed, 13 Sep 2006, Jensen, J (Jens) wrote:
> Hi,
>
> Chris K and I have discovered a bug in srmcp (the client) which we
> sort of suspected was a bug earlier but have now confirmed.
>
> If the SRM host has an alias, and the host certificate is issued to the
> alias, srmcp refuses to connect. In other words, srmcp appears to
> look up the *canonical* name of the host and compares it to the name
> in the certificate. Which is a bug. It **must** use the name in the
> SURL to compare against the name in the certificate - see for example
> RFC 2595 section 2.4:
> http://www.rfc-editor.org/rfc/rfc2595.txt
>
> This is a security bug because DNS is not considered secure. See
> the RFC.
>
> Moreover, the error message indicates that srmcp uses the name in the
> CN of the certificate rather than that of the subjectAltName, although
> we couldn't confirm this because they are of course the same. That's
> more peculiar than serious, although the RFCs do say to use the s.a.n.
>
> --jens
>
--
========================================================================
Dr Greig A Cowan http://www.ph.ed.ac.uk/~gcowan1
School of Physics, University of Edinburgh, James Clerk Maxwell Building
TIER-2 STORAGE SUPPORT PAGES: http://wiki.gridpp.ac.uk/wiki/Grid_Storage
========================================================================
|