Hi Daniela,

Yes, David Groep also suggested this. While adding an extension to the
CRL is Mostly Harmless®, making it critical is not... it risks breaking
even more stuff.  Before I do anything I'll have a quick look at
existing CRLs and see if any have critical extensions - I suspect there
are none.

If I have to pick one, looking through RFC 5280, section 5.2, suggests
the AKI (section 5.2.1) is least likely to harm anything if made critical.

Cheers
--jens


On 30/11/2017 10:38, Daniela Bauer wrote:
> Hi All,
>
> Can we please *not* go down the "every site must update their
> software" route ? This will take years to fix. (I'll take Steve 6.4 as
> a case in point....;-)
>
> @Jens - would you be able to generate a cert with the critical
> extension and we can try it out ?
> Everyone updates their CAs, so it there is anyway to fix it there,
> this is the way forward.
>
> Thanks,
> Daniela
>
>
> On 30 November 2017 at 10:28, Kashif Mohammad
> <[log in to unmask]
> <mailto:[log in to unmask]>> wrote:
>
>
>
>     >>>>I've patched the GridPP VOMS admin server (unfortunately, they
>     don't
>     >>>>depend on the bouncycastle rpm, they ship it themselves as
>     part of the
>     >>>>voms-admin-server rpm, I just hope they haven't modified it). Now
>     >>>>everyone should be able to access the web page regardless of
>     which CA
>     >>>>version is installed on the server or in the browser.
>     >>>>I've also updated the trust anchors to 1.88.
>     >>>>
>     >>>>Kashif, Pete: Can you leave the trust anchor version at 1.87
>     on voms02 for
>     >>>>now, so we still have a server with the old version that
>     clients can use
>     >>>>which haven't updated their CAs yet ?
>
>     I haven't updated trust anchor to 1.88 on voms server yet. I will
>     leave it to 1.87 for time being.
>
>     Kashif
>
>     >>>>Cheers,
>     >>>>Robert
>     >>>>
>     >>>>On 30/11/17 08:20, Robert Frank wrote:
>     >>>>> Hi Steve,
>     >>>>>
>     >>>>> it needs to be installed on all SL6 machines that run any
>     Java program
>     >>>>(client or server) that requires any type of certificate
>     validation. That's any
>     >>>>Java client in general as they should be validating the server
>     certificate and
>     >>>>any Java server the requires client certificate authentication
>     (which in our
>     >>>>case covers pretty much everything).
>     >>>>> So far, I've only tested it with the java voms client, I
>     don't know yet if it
>     >>>>will work with Argus or CREAM, or if there are other issues.
>     >>>>>
>     >>>>> Cheers,
>     >>>>> Robert
>     >>>>>
>     >>>>> On 29/11/17 20:09, sjones wrote:
>     >>>>>> Robert,
>     >>>>>>
>     >>>>>> does the patched copy of BouncyCastle need to be installed
>     on ARGUS
>     >>>>server, or client (e.g. CEs. SEs) or all the above?
>     >>>>>>
>     >>>>>> Ste
>     >>>>>>
>     >>>>>>
>     >>>>>> On 2017-11-29 19:01, Robert Frank wrote:
>     >>>>>>> Hi all,
>     >>>>>>>
>     >>>>>>> I think I've tracked down the source of the problem.
>     >>>>>>>
>     >>>>>>> When bouncycastle verifies the certificate paths it
>     compares the
>     >>>>>>> chain it gets from the server with the local installed
>     certificates.
>     >>>>>>> If there's a difference in a CA certificate in the same
>     position
>     >>>>>>> (which is the case for 2B as it has changed) it executes a
>     code
>     >>>>>>> block that is never executed otherwise.
>     >>>>>>> Long story short, in the SL6 version it executes the following
>     >>>>>>> method at some point:
>     >>>>>>>
>     >>>>>>>     private static boolean isDeltaCRL(X509CRL crl)
>     >>>>>>>     {
>     >>>>>>>         Set critical = crl.getCriticalExtensionOIDs();
>     >>>>>>>         return
>     >>>>>>>
>     critical.contains(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR);
>     >>>>>>>     }
>     >>>>>>>
>     >>>>>>> If there are no critical extensions in the crl, the functions
>     >>>>>>> returns null, causing a null pointer exception and the
>     problems.
>     >>>>>>>
>     >>>>>>> They have fixed that in newer bouncycastle versions (eg
>     CentOS 7):
>     >>>>>>>
>     >>>>>>>     private static boolean isDeltaCRL(X509CRL crl)
>     >>>>>>>     {
>     >>>>>>>         Set critical = crl.getCriticalExtensionOIDs();
>     >>>>>>>         if (critical == null)
>     >>>>>>>         {
>     >>>>>>>             return false;
>     >>>>>>>         }
>     >>>>>>>         return
>     >>>>>>>
>     critical.contains(RFC3280CertPathUtilities.DELTA_CRL_INDICATOR);
>     >>>>>>>     }
>     >>>>>>>
>     >>>>>>> I've built an SL6 bouncycastle rpm which uses the fixed
>     >>>>>>> implementation of that function:
>     >>>>>>>
>     >>>>>>> rpm:
>     >>>>>>>
>     http://mirror.tier2.hep.manchester.ac.uk/Repositories/local/6/x86_64
>     <http://mirror.tier2.hep.manchester.ac.uk/Repositories/local/6/x86_64>
>     >>>>>>> /bouncycastle-1.46-1.el6.1.noarch.rpm
>     >>>>>>> src:
>     >>>>>>>
>     http://mirror.tier2.hep.manchester.ac.uk/Repositories/local/6/source
>     <http://mirror.tier2.hep.manchester.ac.uk/Repositories/local/6/source>
>     >>>>>>> s/bouncycastle-1.46-1.el6.1.src.rpm
>     >>>>>>> patch:
>     >>>>>>>
>     http://mirror.tier2.hep.manchester.ac.uk/tier2/deltacrl.patch
>     <http://mirror.tier2.hep.manchester.ac.uk/tier2/deltacrl.patch>
>     >>>>>>>
>     >>>>>>> After installing the rpm, my problems with the java voms
>     clients
>     >>>>disappeared.
>     >>>>>>>
>     >>>>>>> More testing is needed though.
>     >>>>>>>
>     >>>>>>> An alternative fix could be for the CA to add some critical
>     >>>>>>> extensions to the CRLs :-).
>     >>>>>>>
>     >>>>>>> Cheers,
>     >>>>>>> Robert
>     >>>>>>>
>     >>>>>>>
>     >>>>>>> On 29/11/17 17:56, Simon Fayer wrote:
>     >>>>>>>> Hi Robert,
>     >>>>>>>>
>     >>>>>>>> Hmm, we replaced the CA cert in
>     /etc/grid-security/certificates,
>     >>>>>>>> but didn't restart the daemons: this appeared to fix the
>     problems
>     >>>>>>>> with the voms-proxy-init client. Perhaps it's something
>     in the
>     >>>>>>>> returned proxy chain that crashes it rather than the SSL
>     connection
>     >>>>itself?
>     >>>>>>>>
>     >>>>>>>> (I just tested it now and voms.gridpp.ac.uk
>     <http://voms.gridpp.ac.uk> & voms02.gridpp.ac.uk
>     <http://voms02.gridpp.ac.uk>
>     >>>>>>>> were broken again for me, despite using the sha1 CA for
>     their SSL
>     >>>>>>>> connections (my test client was EL6.9 with UI
>     >>>>>>>>
>     /cvmfs/grid.cern.ch/umd-sl6ui-test/etc/profile.d/setup-ui-
>     <http://grid.cern.ch/umd-sl6ui-test/etc/profile.d/setup-ui->
>     >>>>example.s
>     >>>>>>>> h,
>     >>>>>>>> requesting a gridpp proxy ))
>     >>>>>>>>
>     >>>>>>>> Regards,
>     >>>>>>>> Simon
>     >>>>>>>>
>     >>>>>>>>
>     >>>>>>>> On Wed, Nov 29, 2017 at 05:33:48PM +0000, Robert Frank wrote:
>     >>>>>>>>> Hi Daniela,
>     >>>>>>>>>
>     >>>>>>>>> the daemons on voms03 return a sha256 signed CA cert in
>     the chain:
>     >>>>>>>>>
>     >>>>>>>>> echo "" | openssl s_client -connect
>     voms03.gridpp.ac.uk:15000 <http://voms03.gridpp.ac.uk:15000> -
>     >>>>showcerts 2>/dev/null | sed -n '/^ 1 s:/,/^ 2
>     s:/{/^-----BEGIN/,/^-----
>     >>>>END/p}' | openssl x509 -noout -text | sed -n 's/^\s*Signature
>     >>>>Algorithm:\s*//p'
>     >>>>>>>>> sha256WithRSAEncryption
>     >>>>>>>>> sha256WithRSAEncryption
>     >>>>>>>>>
>     >>>>>>>>> voms02 returns sha1 (and so does voms):
>     >>>>>>>>>
>     >>>>>>>>> echo "" | openssl s_client -connect
>     voms02.gridpp.ac.uk:15000 <http://voms02.gridpp.ac.uk:15000> -
>     >>>>showcerts 2>/dev/null | sed -n '/^ 1 s:/,/^ 2
>     s:/{/^-----BEGIN/,/^-----
>     >>>>END/p}' | openssl x509 -noout -text | sed -n 's/^\s*Signature
>     >>>>Algorithm:\s*//p'
>     >>>>>>>>> sha1WithRSAEncryption
>     >>>>>>>>> sha1WithRSAEncryption
>     >>>>>>>>>
>     >>>>>>>>> I think it's actually good that one of the servers is
>     using the new CA
>     >>>>certificates. Users that use the java voms client (which seems
>     to be the
>     >>>>default nowadays) and already have the new CA certificate can
>     still get
>     >>>>proxies this way. We already had a ticket from a na62 user who
>     couldn't get
>     >>>>a proxy.
>     >>>>>>>>> Yes, most users will be seeing error messages, but the
>     fall-back
>     >>>>should pick one working server.
>     >>>>>>>>>
>     >>>>>>>>> Cheers,
>     >>>>>>>>> Robert
>     >>>>>>>>>
>     >>>>>>>>> On 29/11/17 16:51, Daniela Bauer wrote:
>     >>>>>>>>>> Are you sure any of the vomsserevrs still have the new
>     cert on ?
>     >>>>>>>>>> voms03 certainly doesn't and I'm (almost) sure neither
>     does the
>     >>>>>>>>>> Manchester one. I couldn't just put a GridPP Brexit on  my
>     >>>>conscience.
>     >>>>>>>>>>
>     >>>>>>>>>> Regards,
>     >>>>>>>>>> Daniela
>     >>>>>>>>>>
>     >>>>>>>>>> On 29 November 2017 at 16:38, Jensen, Jens (STFC,RAL,SC) <
>     >>>>>>>>>> [log in to unmask] <mailto:[log in to unmask]>>
>     wrote:
>     >>>>>>>>>>
>     >>>>>>>>>>> Just to follow up on this, I happened to be in a call with
>     >>>>>>>>>>> Mischa from NIKHEF earlier today and we took some time
>     after
>     >>>>the
>     >>>>>>>>>>> call to discuss this peculiar problem. Mischa says he can
>     >>>>>>>>>>> replicate the problem - although he is not a member of a
>     >>>>>>>>>>> GridPP-hosted VO, he can contact the VOMS server and
>     trigger
>     >>>>the error in the client.
>     >>>>>>>>>>>
>     >>>>>>>>>>> It seems to be due to an ancient BouncyCastle library
>     (1.46) on
>     >>>>>>>>>>> SL6, as Steve also mentioned in the call this morning.
>     >>>>>>>>>>>
>     >>>>>>>>>>> Unfortunately Mischa says it's not possible to backport a
>     >>>>>>>>>>> working BC library because they make a lot of incompatible
>     >>>>changes between releases.
>     >>>>>>>>>>>
>     >>>>>>>>>>> Curiously, I just set up an SL6 (6.9) box in the cloud
>     and I
>     >>>>>>>>>>> cannot replicate the error. What am I missing?  This
>     is using Java
>     >>>>1.7.0 and UMD3.
>     >>>>>>>>>>>
>     >>>>>>>>>>> [jj47@vm102 ~]$ rpm -qa|grep igtf
>     >>>>>>>>>>> ca_policy_igtf-iota-1.88-1.noarch
>     >>>>>>>>>>> ca_policy_igtf-slcs-1.88-1.noarch
>     >>>>>>>>>>> ca_policy_igtf-classic-1.88-1.noarch
>     >>>>>>>>>>> ca_policy_igtf-mics-1.88-1.noarch
>     >>>>>>>>>>> [jj47@vm102 ~]$ rpm -qa|grep bouncy
>     >>>>>>>>>>> bouncycastle-1.46-1.el6.noarch
>     >>>>>>>>>>> bouncycastle-mail-1.46-2.el6.noarch
>     >>>>>>>>>>> [jj47@vm102 ~]$ voms-proxy-destroy
>     >>>>>>>>>>> [jj47@vm102 ~]$ voms-proxy-init3 -voms gridpp -vomses
>     >>>>>>>>>>> /etc/vomses/gridpp-voms02.gridpp.ac.uk
>     <http://gridpp-voms02.gridpp.ac.uk>
>     >>>>>>>>>>> Enter GRID pass phrase for this identity:
>     >>>>>>>>>>> Contacting voms02.gridpp.ac.uk:15000
>     <http://voms02.gridpp.ac.uk:15000>
>     >>>>>>>>>>>
>     >>>>[/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk
>     <http://voms02.gridpp.ac.uk>]
>     >>>>"gridpp"...
>     >>>>>>>>>>> Remote VOMS server contacted succesfully.
>     >>>>>>>>>>>
>     >>>>>>>>>>>
>     >>>>>>>>>>> Created proxy in /tmp/x509up_u500.
>     >>>>>>>>>>>
>     >>>>>>>>>>> Your proxy is valid until Thu Nov 30 04:24:25 GMT 2017
>     >>>>>>>>>>> [jj47@vm102 ~]$ voms-proxy-destroy
>     >>>>>>>>>>> [jj47@vm102 ~]$ voms-proxy-init3 -voms gridpp -vomses
>     >>>>>>>>>>> /etc/vomses/gridpp-voms.gridpp.ac.uk
>     <http://gridpp-voms.gridpp.ac.uk>
>     >>>>>>>>>>> Enter GRID pass phrase for this identity:
>     >>>>>>>>>>> Contacting voms.gridpp.ac.uk:15000
>     <http://voms.gridpp.ac.uk:15000>
>     >>>>>>>>>>>
>     >>>>[/C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk
>     <http://voms.gridpp.ac.uk>]
>     >>>>"gridpp"...
>     >>>>>>>>>>> Remote VOMS server contacted succesfully.
>     >>>>>>>>>>>
>     >>>>>>>>>>>
>     >>>>>>>>>>> Created proxy in /tmp/x509up_u500.
>     >>>>>>>>>>>
>     >>>>>>>>>>> Your proxy is valid until Thu Nov 30 04:24:52 GMT 2017
>     >>>>>>>>>>> [jj47@vm102 ~]$ voms-proxy-destroy
>     >>>>>>>>>>> [jj47@vm102 ~]$ voms-proxy-init3 -voms gridpp -vomses
>     >>>>>>>>>>> /etc/vomses/gridpp-voms03.gridpp.ac.uk
>     <http://gridpp-voms03.gridpp.ac.uk>
>     >>>>>>>>>>> Enter GRID pass phrase for this identity:
>     >>>>>>>>>>> Contacting voms03.gridpp.ac.uk:15000
>     <http://voms03.gridpp.ac.uk:15000>
>     >>>>>>>>>>>
>     >>>>[/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk
>     <http://voms03.gridpp.ac.uk>]
>     >>>>>>>>>>> "gridpp"...
>     >>>>>>>>>>> Remote VOMS server contacted succesfully.
>     >>>>>>>>>>>
>     >>>>>>>>>>>
>     >>>>>>>>>>> Created proxy in /tmp/x509up_u500.
>     >>>>>>>>>>>
>     >>>>>>>>>>> Your proxy is valid until Thu Nov 30 04:29:27 GMT 2017
>     >>>>>>>>>>>
>     >>>>>>>>>>> [jj47@vm102 ~]$ voms-proxy-info -all subject   :
>     >>>>>>>>>>> /C=UK/O=eScience/OU=CLRC/L=RAL/CN=jens sha2
>     >>>>>>>>>>> jensen/CN=198921768
>     >>>>>>>>>>> issuer    : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=jens sha2
>     >>>>jensen
>     >>>>>>>>>>> identity  : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=jens sha2
>     >>>>jensen
>     >>>>>>>>>>> type      : RFC3820 compliant impersonation proxy
>     strength  :
>     >>>>>>>>>>> 1024 path      : /tmp/x509up_u500 timeleft  : 11:53:48
>     key usage
>     >>>>>>>>>>> : Digital Signature, Key Encipherment, Data
>     Encipherment === VO
>     >>>>>>>>>>> gridpp extension information === VO        : gridpp
>     subject   :
>     >>>>>>>>>>> /C=UK/O=eScience/OU=CLRC/L=RAL/CN=jens sha2 jensen
>     >>>>issuer    :
>     >>>>>>>>>>>
>     >>>>/C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk
>     <http://voms03.gridpp.ac.uk>
>     >>>>>>>>>>> attribute : /gridpp/Role=NULL/Capability=NULL timeleft  :
>     >>>>>>>>>>> 11:53:48 uri       : voms03.gridpp.ac.uk:15000
>     <http://voms03.gridpp.ac.uk:15000>
>     >>>>>>>>>>>
>     >>>>>>>>>>
>     >>>>>>>>>>
>     >>>>>>>>>>
>
>
>
>
> -- 
> Sent from the pit of despair
>
> -----------------------------------------------------------
> [log in to unmask] <mailto:[log in to unmask]>
> HEP Group/Physics Dep
> Imperial College
> London, SW7 2BW
> Tel: +44-(0)20-75947810
> http://www.hep.ph.ic.ac.uk/~dbauer/
> <http://www.hep.ph.ic.ac.uk/%7Edbauer/>