On Wed, 13 Sep 2006 17:23:33 +0100
Greig A Cowan <[log in to unmask]> wrote:
> I guess emailing [log in to unmask] would suffice. I think Timur is on
>
> that list and would see the report. Presumably there is some sort of
> bug tracking system as well...
>
> Greig
Yes this is correct, email the bug to [log in to unmask] then I will
give the bug to Timur and we in D-cache all see the progress as its
based on request tracker. Request tracker seems to work just fine in
DESY although previously I have heard bad things about this bug
management software. I am pleasantly surprised by this system.
Regards
Owen
PS
Just rented my flat in Hamburg!
>
> On Wed, 13 Sep 2006, Jensen, J (Jens) wrote:
>
> > What's the correct way to file dCache SRM bugs? Surely not to
> > email Timur? Owen?
> >
> > -j
> >
> > -----Original Message-----
> > From: GRIDPP2: Deployment and support of SRM and local storage
> > management [mailto:[log in to unmask]]On Behalf Of Greig
> > A Cowan
> > Sent: 13 September 2006 16:52
> > To: [log in to unmask]
> > Subject: Re: srmcp (security) bug
> >
> >
> > Jens,
> >
> > So what is the next step? Do you escalate this up to Timur at FNAL?
> >
> > Greig
> >
> >
> > On Wed, 13 Sep 2006, Jensen, J (Jens) wrote:
> >
> > > Hi,
> > >
> > > Chris K and I have discovered a bug in srmcp (the client) which we
> > > sort of suspected was a bug earlier but have now confirmed.
> > >
> > > If the SRM host has an alias, and the host certificate is issued
> > > to the alias, srmcp refuses to connect. In other words, srmcp
> > > appears to look up the *canonical* name of the host and compares
> > > it to the name in the certificate. Which is a bug. It **must**
> > > use the name in the SURL to compare against the name in the
> > > certificate - see for example RFC 2595 section 2.4:
> > > http://www.rfc-editor.org/rfc/rfc2595.txt
> > >
> > > This is a security bug because DNS is not considered secure. See
> > > the RFC.
> > >
> > > Moreover, the error message indicates that srmcp uses the name in
> > > the CN of the certificate rather than that of the subjectAltName,
> > > although we couldn't confirm this because they are of course the
> > > same. That's more peculiar than serious, although the RFCs do say
> > > to use the s.a.n.
> > >
> > > --jens
> > >
> >
> >
>
> --
> =====================================================================
> === Dr Greig A Cowan
> http://www.ph.ed.ac.uk/~gcowan1
> School of Physics, University of Edinburgh, James Clerk Maxwell
> Building
>
> TIER-2 STORAGE SUPPORT PAGES:
> http://wiki.gridpp.ac.uk/wiki/Grid_Storage
> =====================================================================
> ===
|