tlsv1 alert decrypt error

[Michal Zacek]

Hi

when I try to connect to our collection, the file manager displays this error:

Command Failed: Error (connect)
Endpoint: vdi.img.cas.cz (96e65514-42e1-4da0-820b-06865e673117)
Server: 147.231.150.162:443
Message: Could not connect to server
---
Details: an authentication operation failed\nglobus_xio_gsi: gss_init_sec_context failed.\nGSS failure: \nGSS Major Status: Authentication Failed\nGSS Minor Status Error Chain:\nglobus_gsi_gssapi: SSL handshake problems\nglobus_gsi_gssapi: Unable to verify remote side's credentials\nglobus_gsi_gssapi: SSL handshake problems: Couldn't do ssl handshake\nOpenSSL Error: ../ssl/record/rec_layer_s3.c:1543: in library: SSL routines, function ssl3_read_bytes: tlsv1 alert decrypt error SSL alert number 51\n\n     

The important thing is  "tlsv1 alert decrypt" at the end. Tlsv1 is deprecated and not supported in RedHat 9 and its clones (rocky, alma, centos stream).
Why is Globus using this old deprecated protocol?

I'm not sure what changed RedHat or Globus, but it was working a month a go.

Thanks.

Regards
Michal

[Michael Link]

The connection failure is due to the certificate configured on that
node; you can see that https://1a0cdf.08cc.data.globus.org/api/info
answers with the wrong certificate. There could be an apache
configuration error, or it is possible there is something intercepting
connections.

We can follow up if you'd like to open a ticket at sup...@globus.org.
If so, send the output of 'sudo globus-connect-server self-diagnostic'.

Mike

[Michal Zacek]

Hi Mike,

you were right. Our firewall was messing with the certificates.
Thank you,
Michal

Dne úterý 20. února 2024 v 18:38:32 UTC+1 uživatel ml...@globus.org napsal: