Hi Adrian, Maarten,
the command to use for a proxy is:
PROXY=/tmp/x509up_u$(id -u)
openssl s_client -CApath /etc/grid-security/certificates \
-CAfile $PROXY -cert $PROXY -key $PROXY \
-connect <HOST>:<PORT>
The crucial point is to include the -CAfile with the proxy. Leaving this
out means the server cannot complete the chain and you'll get the
missing CA error (which is actually missing the EEC).
I'm not sure but I think the -allow_proxy_certs doesn't really do much.
Also, I think it (nowadays) only seems to work with RFC proxies (the
default).
For using an end-entity cert you'd be using something like:
openssl s_client -CApath /etc/grid-security/certificates \
-cert $HOME/.globus/usercert.pem \
-key $HOME/.globus/userkey.pem \
-connect <HOST>:<PORT>
The same is more or less true for using curl, incl. when using NSS:
PROXY=/tmp/x509up_u$(id -u)
curl -v --capath /etc/grid-security/certificates \
--cacert $PROXY --cert $PROXY --key $PROXY \
https://<HOST>:<PORT>/...
Curl still seems to accept legacy proxies.
Cheers,
Mischa
On Sun, Feb 03, 2019 at 01:52:08PM +0000, Maarten Litmaath wrote:
> Hi Adrian,
> just like your openssl command needed the -allow_proxy_certs option
> to allow the certificate chain in the proxy to be traversed as desired,
> your server needs a similar configuration for processing proxies.
>
> Mind that by default a certificate is issued by a _CA_ (with the CA flag set),
> whereas in a proxy the chain contains at least 1 proxy certificate that was
> signed by another ordinary certificate, viz. either a preceding proxy or the
> end-entity (e.g. user) certificate.
>
> ________________________________________
> From: LHC Computer Grid - Rollout [[log in to unmask]] on behalf of Adrian Sevcenco [[log in to unmask]]
> Sent: 01 February 2019 20:21
> To: [log in to unmask]
> Subject: [LCG-ROLLOUT] openssl :: connecting to server using {voms,grid}proxy
>
> Hi! I am trying to connect to a web service (tomcat based serving
> websocket) using a normal grid proxy ...
> I can connect with my certificate but when trying with my proxy i get :
>
> depth=0 DC = ch, DC = cern, OU = computers, CN = <hidden>.cern.ch
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 DC = ch, DC = cern, OU = computers, CN = <hidden>.cern.ch
> verify error:num=21:unable to verify the first certificate
> verify return:1
> SSL_connect:SSLv3/TLS read server certificate
> SSL_connect:SSLv3/TLS read server key exchange
> SSL_connect:SSLv3/TLS read server certificate request
> SSL_connect:SSLv3/TLS read server done
> SSL_connect:SSLv3/TLS write client certificate
> SSL_connect:SSLv3/TLS write client key exchange
> SSL_connect:SSLv3/TLS write certificate verify
>
>
> SSL_connect:SSLv3/TLS write change cipher spec
>
>
> SSL_connect:SSLv3/TLS write finished
>
>
> SSL3 alert read:fatal:certificate unknown
>
>
> SSL_connect:error in SSLv3/TLS write finished
>
>
> 139666604848960:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
> certificate unknown:ssl/record/rec_layer_s3.c:1407:SSL alert number 46
>
> ---
>
>
>
> Certificate chain
>
>
>
> 0 s:/DC=ch/DC=cern/OU=computers/CN=<hidden>.cern.ch
>
>
>
> i:/DC=ch/DC=cern/CN=CERN Grid Certification Authority
>
> ....
> ....
> SSL handshake has read 27041 bytes and written 5454 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES128-GCM-SHA256
> Session-ID:
> 5C54987AEAB59483AAEEA16BDE2DC6E9D35B4EB118D3DC3361B231E643360EC5
> Session-ID-ctx:
> Master-Key:
> A0B2C5F73DF06C6E17370FECB542349B4DC29ABFB870F237FD835BE6289DD9D3F9CDEC27919A282440D5A74588637E5B
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1549047930
> Timeout : 7200 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> Extended master secret: no
>
>
> in contrast when using my certificate i get the same error!!!! but i can
> connect :
> depth=0 DC = ch, DC = cern, OU = computers, CN = <hidden>.cern.ch
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 DC = ch, DC = cern, OU = computers, CN = <hidden>.cern.ch
> verify error:num=21:unable to verify the first certificate
> verify return:1
> SSL_connect:SSLv3/TLS read server certificate
> SSL_connect:SSLv3/TLS read server key exchange
> SSL_connect:SSLv3/TLS read server certificate request
> SSL_connect:SSLv3/TLS read server done
> SSL_connect:SSLv3/TLS write client certificate
> SSL_connect:SSLv3/TLS write client key exchange
> SSL_connect:SSLv3/TLS write certificate verify
> SSL_connect:SSLv3/TLS write change cipher spec
> SSL_connect:SSLv3/TLS write finished
> SSL_connect:SSLv3/TLS write finished
> SSL_connect:SSLv3/TLS read change cipher spec
> SSL_connect:SSLv3/TLS read finished
> ---
> Certificate chain
> 0 s:/DC=ch/DC=cern/OU=computers/CN=<hidden>.cern.ch
> i:/DC=ch/DC=cern/CN=CERN Grid Certification Authority
>
> ....
> ....
> ---
> SSL handshake has read 27085 bytes and written 1936 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES128-GCM-SHA256
> Session-ID:
> 5C549924AE1707AA8E8012E070ECB63498941405D0BC35FB1D76CA6FAAD235C4
> Session-ID-ctx:
> Master-Key:
> A8CB8E344CDA799936848F1E29ADC3B710B4AD9D3DA16CB768005FDA6DB55CD05497753BA2E41510DF38A7DFDA84828F
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1549048100
> Timeout : 7200 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> Extended master secret: no
>
> I know that with proxy does not work because connection is closed
> immediately but with my proxy it remains open waiting for requests
>
> the used command is of the form of
> openssl s_client -showcerts -state -allow_proxy_certs -verify_depth 10
> -connect ${SERVER_PORT} \
> followd by -CApath -chainCApath -verifyCApath options that specify
> the /etc/grid-security/certificates and $HOME/.globus and similar
> with file instead of path for $HOME/.globus/usercert.pem and for /tmp/
> x509up_u${UID}
>
> So, the presence of IGTF CA certs i would say that it is confirmed on
> both sides... what is missing in order to use the proxy certificate?
>
> Thanks a lot!!
> Adrian
>
>
>
> ########################################################################
>
> To unsubscribe from the LCG-ROLLOUT list, click the following link:
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
>
> ########################################################################
>
> To unsubscribe from the LCG-ROLLOUT list, click the following link:
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email [log in to unmask]
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
########################################################################
To unsubscribe from the LCG-ROLLOUT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=LCG-ROLLOUT&A=1
|