FTS support for 2048 bit proxies
In testing the MWT2 FTS with the fts-cli/fts-rest-cli tools (see e.g. bulk data notes ), we've started seeing:
DESTINATION [13] globus_ftp_client: the server responded with an error 530 530-globus_xio: Authentication Error 530-GSS failure: 530-GSS Major Status: Authentication Failed 530-GSS Minor Status Error Chain: 530-globus_gsi_gssapi: SSL handshake problems 530-OpenSSL Error: ssl/statem/statem_srvr.c:3713: in library: SSL routines, function tls_process_client_certificate: certificate verify failed 530-globus_gsi_callback_module: Could not verify credential 530-globus_gsi_callback_module: Could not verify credential: EE
This is the same error that was observed with gfal-utils
after ldas-pcdev12
was upgraded to RL8 and it started complaining about weak encryption.
Further investigation showed that we can still transfer between end points which are still on SL7. The suspicion is that FTS is truncating the proxy to 1024 bits, which would produce this behavior.
Paths forward:
- Persuade RL8 servers to accept 1024 bit proxies
- Prevent FTS from truncating 2048 to 1024.
Note that 2048 bits is the strength of proxies generated by upstream rucio tools.