globus openssl trouble: please upgrade to gt5.0.2

I have been trying to investigate the reported issue and I can't figure out for which Ubuntu releases the bug is relevant.

For Ubuntu 10.04 LTS (lucid) the version of globus-gssapi-gsi is 5.9-4. Version 5.9 is the version found in Globus Toolkit 4.2.1. This is an old version that doesn't have the fix for openssl 0.9.8m or later, but lucid is using openssl 0.9.8k so using this of globus-gssapi.-gsi with the version of openssl on lucid is OK.

For Ubuntu 10.10 (maverick) and 11.04 (natty) the version of globus-gssapi-gsi is 7.5-2. Version 7.5 is the version found in Globus Toolkit 5.0.1 and 5.0.2. The code in the source package is extracted from 5.0.1 but updating to the code from 5.0.2 is pointless since it is the same version. When there is a new Globus Toolkit release only those packages that actually changed from the previous release is updated. Version 5.2 of globus-gssapi-gsi contains CVS revision 1.55.2.5 of the file globus_i_gsi_gss_utils.c. The change mentioned in the bug report was introduced in the 5.0 branch in CVS revision 1.55.2.2 and is therefore already part of the version of globus-gssapi-gsi that is in maverick and natty. So the bug report doesn't seem to relevant for these either.

For Ubuntu 11.11 (oneiric) the version is even newer, 7.8, found in Globus Toolkit 5.0.4.

I also don't think that the error message mentioned in the report: "Can't get the local trusted CA certificate: Cannot find trusted CA certificate with hash cab33b4a in /etc/grid-security/certificates/" is relevant for this issue. If the openssl compatibility was a problem you would get some internal openssl error. This seems to be just a missing CA cert in your installation.

Thanks for looking into this. At the time I investigated the problem and found that something with an openssl callback didn't work as it should, causing the unknown CA error message. The relevant CA was installed, you can see the locally compiled gt5.0.2 invocation succeeding.

What you mention about version numbers is interesting. And the problem is indeed still occuring on 11.04:
  $ globus-url-copy gsiftp://host/file file:///tmp/q
  error: globus_ftp_client: the server responded with an error
  535 Authentication failed: GSSException: Failure unspecified at GSS-API level [Caused by: Unknown CA]
while an strace shows that the correct files from /etc/grid-security/certificates are found and read. Binaries built from upstream's gt5.0.2 do work still.

Further investigation shows that Ubuntu's libglobus_gssapi_gsi.so.4 is the culprit; when using upstream's libglobus_gssapi_gsi_gcc64dbg.so.0 (LD_LIBRARY_PATH with symlinks) the same binary works:

  $ globus-url-copy gsiftp://host/file file:///tmp/q && wc -l /tmp/q
  error: globus_ftp_client: the server responded with an error
  535 Authentication failed: GSSException: Failure unspecified at GSS-API level [Caused by: Unknown CA]
  $ ldd /usr/bin/globus-url-copy | grep -v '=> \(/usr\)\?/lib'
 linux-vdso.so.1 => (0x00007fffb9cd5000)
 /lib64/ld-linux-x86-64.so.2 (0x00007fa235081000)
  $ mkdir /tmp/foo && cd /tmp/foo
  $ cp /tmp/prefix-gt5.0.2-orig/lib/libglobus_gssapi_gsi_gcc64dbg.so.0 libglobus_gssapi_gsi.so.4
  $ ldd libglobus_gssapi_gsi.so.4 | sed 's!^\s*\(\(.*\)_gcc.*\.so.*\) => not found!ln -s /usr/lib/\2.so.? \1!p;d' >dolink.sh && sh dolink.sh
  $ LD_LIBRARY_PATH=/tmp/foo ldd /usr/bin/globus-url-copy | grep -v '=> \(/usr\)\?/lib'
 linux-vdso.so.1 => (0x00007fffb05ff000)
 libglobus_gssapi_gsi.so.4 => /tmp/foo/libglobus_gssapi_gsi.so.4 (0x00007f87cc4e7000)
 /lib64/ld-linux-x86-64.so.2 (0x00007f87cd5e2000)
  $ LD_LIBRARY_PATH=/tmp/foo globus-url-copy gsiftp://host/file file:///tmp/q && wc -l /tmp/q
  3 /tmp/q

Comparing the source files between Ubuntu's globus-gssapi-gsi-7.5/library/* and /tmp/gt5.0.2-all-source-installer/source-trees/gsi/gssapi/source/library/ did not show any difference, however. I'll see if I can find anything more, but if you have any ideas they would be welcome.

oh, the transcript has some confusing linebreaks. I'm attaching it as well.

I can not reproduce the error in neither maverick nor natty.

ellert@ubuntu-natty:~$ apt-cache policy libglobus-gssapi-gsi4libglobus-gssapi-gsi4:
  Installerad: 7.5-2
  Kandidat: 7.5-2
  Versionstabell:
 *** 7.5-2 0
        500 http://se.archive.ubuntu.com/ubuntu/ natty/universe amd64 Packages
        100 /var/lib/dpkg/status
ellert@ubuntu-natty:~$ globus-url-copy gsiftp://ubuntu-natty/home/ellert/primenumbers /tmp/primenumbers
ellert@ubuntu-natty:~$ ls -l /tmp/primenumbers
-rw-r--r-- 1 ellert ellert 6467659 2011-10-09 06:44 /tmp/primenumbers

This bug may have to do with the use of old-style proxies vs. rfc proxies. If I use 'grid-proxy-init -old' I'm getting the mentioned error; if I use an RFC proxy it works fine.

If I use the legacy pre-rfc proxy format I see the problem on both maverick and natty.

Recompiling the globus-gsiapi-gsi source package without any changes, will create a working library. THe code in the source package is up to date w.r.t. support for openssl >= 0.9.8m.

However, looking at the buildlogs of the build of globus-gssapi-gsi 7.5-2 that is available in maverick and natty it can be seen that libssl-dev_0.9.8k-7ubuntu8_amd64.deb was installed during the build. That is, the package was built before openssl was updated to version 0.9.8o that is the version in maverick and natty.

Rebuilding the package without changes using the libssl-dev version that is in the release will solve the problem, since the compilation will then include source lines that are inside an

#if (OPENSSL_VERSION_NUMBER >= 0x009080dfL)

preprocessor conditional.

Good thinking!

The attachment "Debdiff for fixing the issue on natty" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

Thanks for the debdiffs. They look fine except the version numbers do not follow https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging as per the SRU procedures. I have adjusted them and will upload shortly.

Uploaded to natty-proposed and maverick-proposed. Thanks again!

Hello wvengen, or anyone else affected,

Accepted globus-gssapi-gsi into natty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Hello wvengen, or anyone else affected,

Accepted globus-gssapi-gsi into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Verification for MavericK:

* Recreating the bug with the current package:
ellert@ubuntu-maverick:~$ globus-url-copy gsiftp://grid.tsl.uu.se/storage/ellert/testfile testfile

error: an end-of-file was reached
globus_xio: An end of file occurred

* Installing the new package:
ellert@ubuntu-maverick:~$ sudo dpkg --install libglobus-gssapi-gsi4_7.5-2ubuntu0.10.10.1_amd64.deb
[sudo] password for ellert:
(Läser databasen ... 180010 filer och kataloger installerade.)
Förbereder att ersätta libglobus-gssapi-gsi4 7.5-2 (med libglobus-gssapi-gsi4_7.5-2ubuntu0.10.10.1_amd64.deb) ...
Packar upp ersättande libglobus-gssapi-gsi4 ...
Ställer in libglobus-gssapi-gsi4 (7.5-2ubuntu0.10.10.1) ...
Hanterar utlösare för libc-bin ...
ldconfig deferred processing now taking place

* Verifying that the new package works:
ellert@ubuntu-maverick:~$ globus-url-copy gsiftp://grid.tsl.uu.se/storage/ellert/testfile testfile
ellert@ubuntu-maverick:~$ ls testfile
testfile

Verification for Natty:

* Recreating the bug with the current package:
ellert@ubuntu-natty:~$ globus-url-copy gsiftp://grid.tsl.uu.se/storage/ellert/testfile testfile

error: an end-of-file was reached
globus_xio: An end of file occurred

* Installing the new package:
ellert@ubuntu-natty:~$ sudo dpkg --install libglobus-gssapi-gsi4_7.5-2ubuntu0.11.04.1_amd64.deb
[sudo] password for ellert:
(Läser databasen ... 220547 filer och kataloger installerade.)
Förbereder att ersätta libglobus-gssapi-gsi4 7.5-2 (med libglobus-gssapi-gsi4_7.5-2ubuntu0.11.04.1_amd64.deb) ...
Packar upp ersättande libglobus-gssapi-gsi4 ...
Ställer in libglobus-gssapi-gsi4 (7.5-2ubuntu0.11.04.1) ...
Hanterar utlösare för libc-bin ...
ldconfig deferred processing now taking place

* Verifying that the new package works:
ellert@ubuntu-natty:~$ globus-url-copy gsiftp://grid.tsl.uu.se/storage/ellert/testfile testfile
ellert@ubuntu-natty:~$ ls testfile
testfile

This bug was fixed in the package globus-gssapi-gsi - 7.5-2ubuntu0.10.10.1

---------------
globus-gssapi-gsi (7.5-2ubuntu0.10.10.1) maverick-proposed; urgency=low

  * Rebuild for openssl >= 0.9.8m (LP: #703897)
 -- Mattias Ellert <email address hidden> Thu, 13 Oct 2011 07:24:58 +0200

This bug was fixed in the package globus-gssapi-gsi - 7.5-2ubuntu0.11.04.1

---------------
globus-gssapi-gsi (7.5-2ubuntu0.11.04.1) natty-proposed; urgency=low

  * Rebuild for openssl >= 0.9.8m (LP: #703897)
 -- Mattias Ellert <email address hidden> Thu, 13 Oct 2011 06:19:36 +0200