On Mon, May 30, 2005 at 09:54:29AM +0100, Jens G Jensen wrote:
> On Sun, 29 May 2005 22:27:46 BST, Kostas Georgiou wrote this:
>
> > What warned me to the possibility was that after i installed
> > the pool node i could gsiftp to it right away even without
> > any CRLs installed. At that point i remembered reading that
> > the globus java libraries didn't support CRLs.
>
> That's a different thing. If the CRL is absent, much software will
> assume that no certificates are revoked. The alternative would be to
> assume that *all* certificates are revoked which is rather Draconian.
It *is* better though than letting the revoked certificates work
if there is a misconfiguration :) To me it is standard security
practice, if you don't know that the client still has the rights
you don't authorize it....
> >
> > I just had a closer look today and it seems that support was
> > added in version 3.2.0
> > http://www-unix.globus.org/toolkit/releasenotes/3.2.0/gsi_notes.html
>
> Reading that makes me more worried.
Indeed.
> > so the question is which version of the java libraries are used
> > in dcache and if the CRL support is automatic or you need code
> > changes to support it.
>
> Don't know. We'll have to investigate.
>
> >
> > From what i remember the C based gridftp server doesn't authenticate
> > you if the CRL information is missing or outdated the dcache server
> > doesn't care so it is a bad sign.....
>
> Sure but we aren't using the C based GridFTP server. It would probably
> moan if the CRL is past its 30 day time (which would be wrong - it should
> use it rather than moan).
>
> In any case, *if* it used the valid CRL *if* the CRL is installed then
> that would do for now. We shall check.
I tried some straces today and it seems that it is using the CRL if it is
available (or at least it's reading it)
...
open("/etc/grid-security/certificates/6e3b436b.r0", O_RDONLY) = 80
...
So it is working correctly although i am not happy that it doesn't scream
murder if the crl isn't there.
Another interesting note is that the signing_policy is ignored (as far
as i can see from the strace) which reminds me that the globus java libs
don't support it (not idea if that has changed though with newer versions)
Definitely not as serious since it requires a rogue CA but still.....
Cheers,
Kostas
|