search

jglobus / JGlobus

jGlobus is a collection of Java client libraries for Globus® Toolkit security, GRAM, and GridFTP.
http://www.globus.org/toolkit/jglobus/
Apache License 2.0
24 stars 44 forks source link

CRL reloading #112

Closed jrevillard closed 10 years ago

jrevillard commented 11 years ago

Hi,

It seems that there is still an issue with the CRL reloading mechanism (and certainly also the CA certificates). I use the myproxy client inside a web application. After some time, I obtained:

Caused by: org.globus.common.ChainedIOException: Authentication failed [Caused by: Path validation failed. CRL issued by C=FR,O=CNRS,CN=GRID2-FR has expired]
    at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:149) ~[gss.jar:na]
    at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:165) ~[gss.jar:na]
    at org.globus.myproxy.MyProxy.get(MyProxy.java:959) ~[myproxy.jar:na]
    ... 29 common frames omitted
Caused by: org.globus.gsi.gssapi.GlobusGSSException: Path validation failed. CRL issued by C=FR,O=CNRS,CN=GRID2-FR has expired
    at org.globus.gsi.gssapi.GlobusGSSContextImpl.initSecContext(GlobusGSSContextImpl.java:1096) ~[gss.jar:na]
    at org.globus.gsi.gssapi.net.GssSocket.authenticateClient(GssSocket.java:106) ~[gss.jar:na]
    at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:144) ~[gss.jar:na]
    ... 31 common frames omitted
Caused by: org.globus.gsi.gssapi.GlobusGSSException: Path validation failed. CRL issued by C=FR,O=CNRS,CN=GRID2-FR has expired
    at org.globus.gsi.gssapi.GlobusGSSContextImpl.sslProcessHandshake(GlobusGSSContextImpl.java:881) ~[gss.jar:na]
    at org.globus.gsi.gssapi.GlobusGSSContextImpl.initSecContext(GlobusGSSContextImpl.java:1009) ~[gss.jar:na]
    ... 33 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1031) ~[na:1.6.0_27]
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:508) ~[na:1.6.0_27]
    at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1115) ~[na:1.6.0_27]
    at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1087) ~[na:1.6.0_27]
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) ~[na:1.6.0_27]
    at org.globus.gsi.gssapi.GlobusGSSContextImpl.sslProcessHandshake(GlobusGSSContextImpl.java:812) ~[gss.jar:na]
    ... 34 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.6.0_27]
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1507) ~[na:1.6.0_27]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:259) ~[na:1.6.0_27]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251) ~[na:1.6.0_27]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1168) ~[na:1.6.0_27]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) ~[na:1.6.0_27]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609) ~[na:1.6.0_27]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:549) ~[na:1.6.0_27]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:547) ~[na:1.6.0_27]
    at java.security.AccessController.doPrivileged(Native Method) ~[na:1.6.0_27]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:968) ~[na:1.6.0_27]
    at org.globus.gsi.gssapi.GlobusGSSContextImpl.runDelegatedTasks(GlobusGSSContextImpl.java:345) ~[gss.jar:na]
    at org.globus.gsi.gssapi.GlobusGSSContextImpl.sslProcessHandshake(GlobusGSSContextImpl.java:850) ~[gss.jar:na]
    ... 34 common frames omitted
Caused by: java.security.cert.CertificateException: Path validation failed. CRL issued by C=FR,O=CNRS,CN=GRID2-FR has expired
    at org.globus.gsi.trustmanager.PKITrustManager.checkServerTrusted(PKITrustManager.java:109) ~[ssl-proxies.jar:na]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1160) ~[na:1.6.0_27]
    ... 42 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: CRL issued by C=FR,O=CNRS,CN=GRID2-FR has expired
    at org.globus.gsi.trustmanager.CRLChecker.checkCRLDateValidity(CRLChecker.java:212) ~[ssl-proxies.jar:na]
    at org.globus.gsi.trustmanager.CRLChecker.invoke(CRLChecker.java:143) ~[ssl-proxies.jar:na]
    at org.globus.gsi.trustmanager.X509ProxyCertPathValidator.checkCertificate(X509ProxyCertPathValidator.java:410) ~[ssl-proxies.jar:na]
    at org.globus.gsi.trustmanager.X509ProxyCertPathValidator.validate(X509ProxyCertPathValidator.java:165) ~[ssl-proxies.jar:na]
    at org.globus.gsi.trustmanager.X509ProxyCertPathValidator.engineValidate(X509ProxyCertPathValidator.java:107) ~[ssl-proxies.jar:na]
    at org.globus.gsi.trustmanager.PKITrustManager.checkServerTrusted(PKITrustManager.java:107) ~[ssl-proxies.jar:na]

The CRL is well refreshed by fetch_crl

This is certainly due to the fact the "static" stores are used mostly everywhere instead of an object the can be refreshed.

Best

jrevillard commented 10 years ago

Any news on for this ? As soon as I will have time I will try to make a pull request.

Best, Jerome