Venue server connection issue
Robert Olson
olson at mcs.anl.gov
Wed Feb 4 15:20:09 CST 2004
A related problem is this: say I have several venue servers I connect to,
and each requires a different identity. We should have a mechanism to
automatically choose the proper identity to use for a given venue server.
Some of this may be deducible from the SSL handshake - as part of the
CertificateRequest message the server sends a list of authorities that it
recognizes. The challenge is getting this information back out of globus;
not doable I'm guessing in the default interface since you can't even get
the certificate for a peer out of an existing connection:
http://bugzilla.globus.org/globus/show_bug.cgi?id=312
It appears to be the case that the SSL_get_client_CA_list call may provide
this information, if one could insert code into the middle of the SSL
handshake. (This is where it'd be nice to use raw SSL ourselves, and have
access to stuff like this, and the the ability to do SSL renegotiation to
accept an unauthenticated request for something like the information query,
then renegotiate to an authentiated connection once the proper information
has been passed. It'd give us access to SSL connection caching too, to
eliminate the big startup handshake times. Sigh.
However not inconceivable to incorporate the globus proxy verification code
into a simple SSL-based thing; that's all the globus stuff is doing...)
--bob
More information about the ag-dev
mailing list