bcfg2 client query hangs

[Lisa Giacchetti <[email protected]…>]

Hi,

I have run into the following issue with the bcfg2 -vqn on SSL cert config on bcfg2-1.0pre3

This is centos release 5 server using same machine as the client. I run bcfg2 -vqn and it hangs with no output. strace shows that it reads the ca and the hostkey.pem and then starts to process the hostcert.pem at which point it hangs on a read. eventually it times out and starts the process of evaluating the ca, hostkey etc again and hangs again. Time out error is "connection reset by peer"

read(3, 0x9db63b0, 7)                   = -1 ECONNRESET (Connection reset by peer)
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
futex(0x9d03a38, FUTEX_WAKE, 1)         = 0
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR)             = 0
select(0, NULL, NULL, NULL, {0, 500000}) = 0 (Timeout)
futex(0x9cb53d8, FUTEX_WAKE, 1)         = 0
futex(0x9cb53d8, FUTEX_WAKE, 1)         = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
getpeername(4, 0xbfa45248, [ae621612f78837dc2052be3f813cfcb915ce83a1] (SVN r16))        = -1 ENOTCONN (Transport endpoint is not connected)

My /etc/bcfg2.conf communications section looks like this:

[communication]
protocol = xmlrpc/ssl
key = /etc/grid-security/hostkey.pem
certificate = /etc/grid-security/hostcert.pem
ca = /etc/grid-security/certificates/1c3f2ca8.0

[Lisa Giacchetti <…>]

Hi development team,

my colleague was able to get the certificates working by doing a couple of things which I detail below. It seems that the password entry in the config file is still needed despite the fact that it looks like the encrypted ssl certificate authentication is being used. Is there still some piece of passwd based authentication that needs to be removed?

1. config:

[communication]
password = XXXXXXXXXX      # uncommented
ca = /etc/grid-security/AA

where CA contains:

cat hostcert.pem > AA
cat certificates/1c3f2ca8.0 >>AA
cat certificates/d1b603c3.0 >>AA

2. Server side:

for the wrap_socket added in def get_request(self) / SSLServer.py:

                  cert_reqs=ssl.CERT_REQUIRED,
                                  ssl_version=ssl.PROTOCOL_TLSv1,

3. Client side - replaced:

           #self.sock = ssl.SSLSocket(rawsock, cert_reqs=self.ca_mode,
           #                          ca_certs=self.ca, suppress_ragged_eofs=True,
           #                          keyfile=self.key, certfile=self.cert)
           self.sock = ssl.wrap_socket(rawsock, server_side=False,
                                   certfile=self.cert,
                                   keyfile=self.key,
                                   cert_reqs=ssl.CERT_REQUIRED,
                                   ssl_version=ssl.PROTOCOL_TLSv1,
                                   ca_certs=self.ca)
   
   

[solj]

Looks like this was added in [ca974668ba340af041471df42bb246116d1b2a0c] (SVN r5297). Thanks for reporting what worked for you.

[Richardheef]

Further, due to variations in contour, conception of natural agencies of oral fields remains viscous. [​https://my.swu.edu/ICS/icsfs/tabfen24.html?target=8c64ca36-ed51-48ec-b8a5-733e30018c6c duromine prescription - Many leaflets tend to be milder in production, and lower in eight-ball.