Open paulmillar opened 4 years ago
This problem seems to tied to upgrading to Java v11, Java v8 does not support TLS v1.3. If dCache is running on Java v8 and a client attempts a TLS v1.3 handshake then the handshake will succeed using TLS v1.2
Further details: the problem is client side, when run on a CentOS 7.8 machine.
-bash-4.2$ curl -V
curl 7.71.1 (x86_64-redhat-linux-gnu) libcurl/7.71.1 NSS/3.44 zlib/1.2.7 libpsl/0.7.0 (+libicu/50.1.2) libssh2/1.9.0 nghttp2/1.33.0
Release-Date: 2020-07-01
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB PSL SPNEGO SSL UnixSockets
-bash-4.2$
This problem appears to be triggered by attempting to authenticate with a proxy credential.
The problem goes away if...
--tls-max 1.2
option.The failure seems to be within LIBNSS. Enabling trace (via curl's --trace -
option)
-bash-4.2$ curl --trace - --capath /etc/grid-security/certificates -E /tmp/x509up_u15691 https://discordia.desy.de:2443/
== Info: Trying 2001:638:700:1004::1:30:2443...
[...]
== Info: NSS: client certificate from file
== Info: subject: CN=1120368938,CN=Robot - grid client - Paul Millar (client software tester),OU=DESY,O=GermanGrid,C=DE
== Info: start date: Jul 16 21:02:43 2020 GMT
== Info: expire date: Jul 17 09:02:43 2020 GMT
== Info: common name: 1120368938
== Info: issuer: CN=Robot - grid client - Paul Millar (client software tester),OU=DESY,O=GermanGrid,C=DE
== Info: NSS error -8191 (SEC_ERROR_LIBRARY_FAILURE)
== Info: security library failure.
Note that this version of curl requires the --cacert
trick to send the EEC with the proxy.
The HTTP-TPC smoke tests use X.509 client authentication in various places.
When curl (using NSS for TLS support) attempts to initiate a TLS connection with dCache, that handshake fails. Curl reports the following:
This is with curl v7.67.0, and NSS v3.44.0.
Limiting the TLS version to v1.2 (
--tls-max 1.2
in curl) seems to provide a work-around, allowing the TLS handshake to succeed.