dcache icon indicating copy to clipboard operation
dcache copied to clipboard

Published 20 hours ago verified publisher icon dCache

Bad behaviour for `pool.mover.http-tpc.authn.crl-mode=IF_VALID`

Open paulmillar opened this issue 2 years ago • 0 comments

I was attempting an HTTP-TPC transfer from a zenodo URL.

The host presents the following certificate chain:

paul@sprocket:~$ openssl s_client -connect zenodo.org:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.zenodo.org
verify return:1
---
Certificate chain
 0 s:CN = *.zenodo.org
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
---

The root CA ("AAA Certificate Services") and second intermediate CA ("Sectigo RSA Domain Validation Secure Server CA") are both missing from the standard IGTF trust bundle; however, the first intermediate CA ("USERTrust RSA Certification Authority") is present.

As the second intermediate CA ("Sectigo RSA Domain Validation Secure Server CA") is unknown, there are no namespace files in the IGTF trust bundle. Moreover, namespace verification makes no sense for server certificates. Therefore the configuration property pool.mover.http-tpc.authn.namespace-mode=IGNORE is needed.

According to the documentation, pool.mover.http-tpc.authn.crl-mode=IF_VALID should enforce CRL, if a CRL file is preset; however, with this setting, the certificate-chain validation should not fail if the CRL file is missing.

However, with this setting, http-tpc transfers fail with the following error:

[[failure: The peer's certificate with subject's DN CN=*.[zenodo.org](http://zenodo.org/) was rejected. The peer's certificate status is: FAILED The following validation errors were found:;error at position 1 in chain, problematic certificate subject: CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB (category: OTHER): org.bouncycastle.jce.provider.AnnotatedException: CertPath for CRL signer failed to validate.

Configuring the pool with pool.mover.http-tpc.authn.crl-mode=IGNORE allows transfers to succeed, but means that CRLs are no longer being examined when checking the remote party's X.509 server certificate, for HTTP-TPC transfers.

This looks like a bug in CaNL.

paulmillar avatar May 03 '22 10:05 paulmillar