dCache xrootd door sha2 compliance

[ivukotic]

Hi,

I use this command to test the issue: xrdcp -d 1 -f root://uct2-s5.mwt2.org:1096/pnfs/uchicago.edu/atlaslocalgroupdisk/rucio/mc11_7TeV/f1/3d/NTUP_HSG2.01388734._000063.root.1 /dev/null

when using SHA1 compliant x509 proxy everything works: sec_PM: Loading gsi protocol object from libXrdSecgsi.so 140320 15:38:50 9347 secgsi_InitOpts: * ------------------------------------------------------------ * 140320 15:38:50 9347 secgsi_InitOpts: Mode: client 140320 15:38:50 9347 secgsi_InitOpts: Debug: 1 140320 15:38:50 9347 secgsi_InitOpts: CA dir: /cvmfs/atlas.cern.ch/repo/ATLASLocalRootBase/etc/grid-security-emi/certificates 140320 15:38:50 9347 secgsi_InitOpts: CA verification level: 1 140320 15:38:50 9347 secgsi_InitOpts: CRL dir: /cvmfs/atlas.cern.ch/repo/ATLASLocalRootBase/etc/grid-security-emi/certificates 140320 15:38:50 9347 secgsi_InitOpts: CRL extension: .r0 140320 15:38:50 9347 secgsi_InitOpts: CRL check level: 1 140320 15:38:50 9347 secgsi_InitOpts: CRL refresh time: 86400 140320 15:38:50 9347 secgsi_InitOpts: Certificate: /home/ivukotic/.globus/usercert.pem 140320 15:38:50 9347 secgsi_InitOpts: Key: /home/ivukotic/.globus/userkey.pem 140320 15:38:50 9347 secgsi_InitOpts: Proxy file: /home/ivukotic/x509_Proxy_old_cert 140320 15:38:50 9347 secgsi_InitOpts: Proxy validity: 12:00 140320 15:38:50 9347 secgsi_InitOpts: Proxy dep length: 0 140320 15:38:50 9347 secgsi_InitOpts: Proxy bits: 512 140320 15:38:50 9347 secgsi_InitOpts: Proxy sign option: 1 140320 15:38:50 9347 secgsi_InitOpts: Proxy delegation option: 0 140320 15:38:50 9347 secgsi_InitOpts: Allowed server names: uct2-s5.uchicago.edu|uct2-s6.uchicago.edu|uct2-s20.uchicago.edu 140320 15:38:50 9347 secgsi_InitOpts: Crypto modules: ssl 140320 15:38:50 9347 secgsi_InitOpts: Ciphers: aes-128-cbc:bf-cbc:des-ede3-cbc 140320 15:38:50 9347 secgsi_InitOpts: MDigests: sha1:md5 140320 15:38:50 9347 secgsi_InitOpts: * ------------------------------------------------------------ * sec_PM: Using gsi protocol, args='v:10200,c:ssl,ca:c7a717ce' 140320 15:38:50 9347 cryptossl_X509::IsCA: certificate has 6 extensions 140320 15:38:50 9347 secgsi_VerifyCA: Warning: CA certificate not self-signed and integrity not checked: assuming OK (c7a717ce.0) 140320 15:38:50 9347 cryptossl_X509::IsCA: certificate has 4 extensions 140320 15:38:50 9347 cryptossl_X509::IsCA: certificate has 9 extensions 140320 15:38:50 9347 cryptossl_X509::IsCA: certificate has 9 extensions 140320 15:38:51 9347 Xrd: Open: Access to server granted.

with the SHA2 compliant x509 it does not work: sec_PM: Loading gsi protocol object from libXrdSecgsi.so 140320 15:36:20 7157 secgsi_InitOpts: * ------------------------------------------------------------ * 140320 15:36:20 7157 secgsi_InitOpts: Mode: client 140320 15:36:20 7157 secgsi_InitOpts: Debug: 1 140320 15:36:20 7157 secgsi_InitOpts: CA dir: /cvmfs/atlas.cern.ch/repo/ATLASLocalRootBase/etc/grid-security-emi/certificates 140320 15:36:20 7157 secgsi_InitOpts: CA verification level: 1 140320 15:36:20 7157 secgsi_InitOpts: CRL dir: /cvmfs/atlas.cern.ch/repo/ATLASLocalRootBase/etc/grid-security-emi/certificates 140320 15:36:20 7157 secgsi_InitOpts: CRL extension: .r0 140320 15:36:20 7157 secgsi_InitOpts: CRL check level: 1 140320 15:36:20 7157 secgsi_InitOpts: CRL refresh time: 86400 140320 15:36:20 7157 secgsi_InitOpts: Certificate: /home/ivukotic/.globus/usercert.pem 140320 15:36:20 7157 secgsi_InitOpts: Key: /home/ivukotic/.globus/userkey.pem 140320 15:36:20 7157 secgsi_InitOpts: Proxy file: /home/ivukotic/x509_Proxy_new_cert 140320 15:36:20 7157 secgsi_InitOpts: Proxy validity: 12:00 140320 15:36:20 7157 secgsi_InitOpts: Proxy dep length: 0 140320 15:36:20 7157 secgsi_InitOpts: Proxy bits: 512 140320 15:36:20 7157 secgsi_InitOpts: Proxy sign option: 1 140320 15:36:20 7157 secgsi_InitOpts: Proxy delegation option: 0 140320 15:36:20 7157 secgsi_InitOpts: Allowed server names: uct2-s5.uchicago.edu|uct2-s6.uchicago.edu|uct2-s20.uchicago.edu 140320 15:36:20 7157 secgsi_InitOpts: Crypto modules: ssl 140320 15:36:20 7157 secgsi_InitOpts: Ciphers: aes-128-cbc:bf-cbc:des-ede3-cbc 140320 15:36:20 7157 secgsi_InitOpts: MDigests: sha1:md5 140320 15:36:20 7157 secgsi_InitOpts: * ------------------------------------------------------------ * sec_PM: Using gsi protocol, args='v:10200,c:ssl,ca:c7a717ce' 140320 15:36:20 7157 cryptossl_X509::IsCA: certificate has 6 extensions 140320 15:36:20 7157 secgsi_VerifyCA: Warning: CA certificate not self-signed and integrity not checked: assuming OK (c7a717ce.0) 140320 15:36:20 7157 cryptossl_X509::IsCA: certificate has 4 extensions 140320 15:36:20 7157 cryptossl_X509::IsCA: certificate has 9 extensions 140320 15:36:20 7157 cryptossl_X509::IsCA: certificate has 9 extensions 140320 15:36:20 7157 Xrd: CheckErrorStatus: Server [uct2-s5.mwt2.org:1096] declared: Internal server error (null)(error code: 3012) 140320 15:36:20 7157 Xrd: DoAuthentication: Internal server error (null) sec_Client: protocol request for host uct2-s5.mwt2.org token='' XrdSec: No authentication protocols are available. 140320 15:36:20 7157 Xrd: Open: Authentication failure: Internal server error (null): unable to get protocol object xrdcp: Copy from uct2-s5.mwt2.org failed on open! xrdcp: Internal server error (null): unable to get protocol object.

In the log file I see: 20 Mar 2014 15:35:56 (Xrootd-uct2-s5) [] xrootd server error while processing org.dcache.xrootd.protocol.messages.AuthenticationRequest@78167a1d (please report this to support@dcache.org) java.lang.NullPointerException: null

[gbehrmann]

I just noticed this ticket (we don't use the issue system on github). Is this still an issue with 2.10?

[ivukotic]

this is hard to recheck now. If the issue reappears I'll open another ticket, at the right place.

[gbehrmann]

Okay. In the meantime we have started to use GitHub issues, so this is now the correct place for bug reports (support requests still go to support@dcache.org).