Gsi crashes mgm on centos9

1

Hi,

I am testing EOS on centos9 stream servers, works fine with krb5, but gsi crashes the mgm, using 5.1.8 release,
eos-server-5.1.8-1.el9.x86_64
eos-xrootd-5.5.5-1.el9.x86_64

settings:
sec.protocol gsi -crl:1 -cert:/etc/grid-security/hostcert.pem -key:/etc/grid-security/hostkey.pem -certdir:/etc/grid-security/certificates -gridmap:/etc/grid-security/grid-mapfile -gmapopt:trymap
sec.protbind * only krb5 gsi sss

#########################################################################

-----------------------------------------------------------------------

Responsible thread =>

-----------------------------------------------------------------------

Thread 367 (Thread 0x7f70e85f7640 (LWP 3445) “xrootd”):

#########################################################################
#6
#7 0x00007f71d1ee3f24 in BN_get_flags () from /lib64/libcrypto.so.3
#8 0x00007f71d1ee5291 in BN_copy () from /lib64/libcrypto.so.3
#9 0x00007f71d1fa9186 in ossl_ffc_validate_public_key_partial () from /lib64/libcrypto.so.3
#10 0x00007f71d1fa920e in ossl_ffc_validate_public_key () from /lib64/libcrypto.so.3
#11 0x00007f71d206c460 in dh_validate.lto_priv () from /lib64/libcrypto.so.3
#12 0x00007f71d1fa19e1 in try_provided_check () from /lib64/libcrypto.so.3
#13 0x00007f71d1fa1a71 in evp_pkey_public_check_combined () from /lib64/libcrypto.so.3
#14 0x00007f71d1f97683 in EVP_PKEY_derive_set_peer_ex () from /lib64/libcrypto.so.3
#15 0x00007f71d09ea459 in XrdCryptosslCipher::Finalize(bool, char*, int, char const*) () from /opt/eos/xrootd/lib64/libXrdCryptossl-5.so
#16 0x00007f71d0a2ddf3 in XrdSecProtocolgsi::ServerDoCert(XrdSutBuffer*, XrdSutBuffer**, XrdOucString&) () from /opt/eos/xrootd/lib64/libXrdSecgsi-5.so
#17 0x00007f71d0a3ce75 in XrdSecProtocolgsi::ParseServerInput(XrdSutBuffer*, XrdSutBuffer**, XrdOucString&) () from /opt/eos/xrootd/lib64/libXrdSecgsi-5.so
#18 0x00007f71d0a3d32f in XrdSecProtocolgsi::Authenticate(XrdSecBuffer*, XrdSecBuffer**, XrdOucErrInfo*) () from /opt/eos/xrootd/lib64/libXrdSecgsi-5.so
#19 0x00007f71d2cea2c7 in XrdXrootdProtocol::do_Auth() () from /opt/eos/xrootd/lib64/libXrdServer.so.3
#20 0x00007f71d2cdcdd6 in XrdXrootdProtocol::Process2() () from /opt/eos/xrootd/lib64/libXrdServer.so.3
#21 0x00007f71d2c1f520 in XrdLinkXeq::DoIt() () from /opt/eos/xrootd/lib64/libXrdUtils.so.3
#22 0x00007f71d2c1bed2 in XrdLink::setProtocol(XrdProtocol*, bool, bool) () from /opt/eos/xrootd/lib64/libXrdUtils.so.3
#23 0x00007f71d2c2246a in XrdScheduler::Run() () from /opt/eos/xrootd/lib64/libXrdUtils.so.3
#24 0x00007f71d2c22569 in XrdStartWorking(void*) () from /opt/eos/xrootd/lib64/libXrdUtils.so.3
#25 0x00007f71d2bb0a68 in XrdSysThread_Xeq () from /opt/eos/xrootd/lib64/libXrdUtils.so.3
#26 0x00007f71d249f802 in start_thread () from /lib64/libc.so.6
#27 0x00007f71d243f450 in clone3 () from /lib64/libc.so.6

I am not sure if this is a EOS, xrootd bug or misconfiguration (I did not setup eos before). Any clues?

also, gsi would not work on centos9 unless openssl policy is set to LEGACY, it fails on cert trust chain verification in mgm initialization

Thanks.
Andrej

2

Seems to be xrootd issue, it fails with simple xrootd server as well, with all openssl3 versions on centos9.
Andrej