Uploaded image for project: 'DMC - Development'
  1. DMC - Development
  2. DMC-1114

DAVIX adds cert chain multiple times

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: davix 0.7.1
    • Component/s: None
    • Security Level: Public Data (This ticket is visible to anyone on the internet and will be indexed by search engines)
    • Labels:
      None

      Description

      Each time a libneon session is reused, if a client cert is needed, this block of code is invoked each time:

      https://gitlab.cern.ch/dmc/davix/blob/devel/deps/libneon/src/ne_openssl.c#L564-570

      This adds the proxy certificate chain once for each reconnection attempt. At least against Xrootd, reconnections can be reliably triggered if we use gfal-copy -p and transfer to a destination directory structure that doesn't exist (the MKCOL fails, which triggers a reconnection).

      Eventually, the many duplicate intermediate certificates added to the connection trigger an error due to SSL message size.

      In particular, CMS is seeing stageout failures "in real life" for any certificate chain over about 16KB. On the server side, we see:

      140096252663552:error:1408E098:SSL routines:ssl3_get_message:excessive message size:s3_both.c:417:
      

        Attachments

          Activity

            People

            • Assignee:
              bbockelm Brian Paul Bockelman
              Reporter:
              bbockelm Brian Paul Bockelman
              Component Watchers:
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Actual End: