dCache / dcache

dCache - a system for storing and retrieving huge amounts of data, distributed among a large number of heterogenous server nodes, under a single virtual filesystem tree with a variety of standard access methods
https://dcache.org
291 stars 136 forks source link

TLS v1.3 is failing for WebDAV #5213

Open paulmillar opened 4 years ago

paulmillar commented 4 years ago

The HTTP-TPC smoke tests use X.509 client authentication in various places.

When curl (using NSS for TLS support) attempts to initiate a TLS connection with dCache, that handshake fails. Curl reports the following:

    * NSS: client certificate from file
    *   subject: CN=proxy,CN=Robot - grid client - Paul Millar (client software tester),OU=DESY,O=GermanGrid,C=DE
    *   start date: Nov 26 12:50:28 2019 GMT
    *   expire date: Nov 27 00:55:28 2019 GMT
    *   common name: proxy
    *   issuer: CN=Robot - grid client - Paul Millar (client software tester),OU=DESY,O=GermanGrid,C=DE
    * NSS error -8191 (SEC_ERROR_LIBRARY_FAILURE)
    * security library failure.
    * Closing connection 0

This is with curl v7.67.0, and NSS v3.44.0.

Limiting the TLS version to v1.2 (--tls-max 1.2 in curl) seems to provide a work-around, allowing the TLS handshake to succeed.

paulmillar commented 4 years ago

This problem seems to tied to upgrading to Java v11, Java v8 does not support TLS v1.3. If dCache is running on Java v8 and a client attempts a TLS v1.3 handshake then the handshake will succeed using TLS v1.2

paulmillar commented 4 years ago

Further details: the problem is client side, when run on a CentOS 7.8 machine.

-bash-4.2$ curl -V
curl 7.71.1 (x86_64-redhat-linux-gnu) libcurl/7.71.1 NSS/3.44 zlib/1.2.7 libpsl/0.7.0 (+libicu/50.1.2) libssh2/1.9.0 nghttp2/1.33.0
Release-Date: 2020-07-01
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB PSL SPNEGO SSL UnixSockets
-bash-4.2$ 

This problem appears to be triggered by attempting to authenticate with a proxy credential.

The problem goes away if...

The failure seems to be within LIBNSS. Enabling trace (via curl's --trace - option)

-bash-4.2$ curl --trace - --capath /etc/grid-security/certificates -E /tmp/x509up_u15691 https://discordia.desy.de:2443/
== Info:   Trying 2001:638:700:1004::1:30:2443...
[...]
== Info: NSS: client certificate from file
== Info:        subject: CN=1120368938,CN=Robot - grid client - Paul Millar (client software tester),OU=DESY,O=GermanGrid,C=DE
== Info:        start date: Jul 16 21:02:43 2020 GMT
== Info:        expire date: Jul 17 09:02:43 2020 GMT
== Info:        common name: 1120368938
== Info:        issuer: CN=Robot - grid client - Paul Millar (client software tester),OU=DESY,O=GermanGrid,C=DE
== Info: NSS error -8191 (SEC_ERROR_LIBRARY_FAILURE)
== Info: security library failure.

Note that this version of curl requires the --cacert trick to send the EEC with the proxy.