Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Tools/Manuals/TS15

From EGIWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators



Back to Troubleshooting Guide


failed unwrapping ENC message

Full message

$ uberftp some-SE.some-domain
220 some-SE.some-domain GridFTP Server 1.12 GSSAPI type Globus/GSI wu-2.6.2
 (gcc32dbg, 1062606889-42) ready. 
535-FTPD GSSAPI error: GSS Major Status: General failure 
535-FTPD GSSAPI error: GSS Minor Status Error Chain: 
535-FTPD GSSAPI error:  
535-FTPD GSSAPI error: unwrap.c:273: gss_unwrap: internal problem with SSL BIO:
 SSL_read rc=-1 
535-FTPD GSSAPI error: OpenSSL Error: a_verify.c:109: in library:
 asn1 encoding routines, function ASN1_verify: bad get asn1 object call 
535-FTPD GSSAPI error: OpenSSL Error: rsa_eay.c:578: in library:
 rsa routines, function RSA_EAY_PUBLIC_DECRYPT: padding check failed 
535-FTPD GSSAPI error: OpenSSL Error: rsa_pk1.c:100: in library:
 rsa routines, function RSA_padding_check_PKCS1_type_1: block type is not 01 
535-FTPD GSSAPI error: OpenSSL Error: a_verify.c:109: in library:
 asn1 encoding routines, function ASN1_verify: bad get asn1 object call 
535-FTPD GSSAPI error: OpenSSL Error: rsa_sign.c:149: in library:
 rsa routines, function RSA_verify: wrong signature length 
535-FTPD GSSAPI error: OpenSSL Error: a_verify.c:109: in library:
 asn1 encoding routines, function ASN1_verify: bad get asn1 object call 
535-FTPD GSSAPI error: OpenSSL Error: rsa_eay.c:578: in library:
 rsa routines, function RSA_EAY_PUBLIC_DECRYPT: padding check failed 
535-FTPD GSSAPI error: OpenSSL Error: rsa_pk1.c:100: in library:
 rsa routines, function RSA_padding_check_PKCS1_type_1: block type is not 01 
535-FTPD GSSAPI error: OpenSSL Error: a_verify.c:109: in library:
 asn1 encoding routines, function ASN1_verify: bad get asn1 object call 
535-FTPD GSSAPI error: OpenSSL Error: rsa_sign.c:149: in library:
 rsa routines, function RSA_verify: wrong signature length 
535-FTPD GSSAPI error: OpenSSL Error: a_verify.c:109: in library:
 asn1 encoding routines, function ASN1_verify: bad get asn1 object call 
535-FTPD GSSAPI error: OpenSSL Error: rsa_sign.c:149: in library:
 rsa routines, function RSA_verify: wrong signature length 
535-FTPD GSSAPI error: OpenSSL Error: a_verify.c:109: in library:
 asn1 encoding routines, function ASN1_verify: bad get asn1 object call 
535-FTPD GSSAPI error: OpenSSL Error: rsa_eay.c:578: in library:
 rsa routines, function RSA_EAY_PUBLIC_DECRYPT: padding check failed 
535-FTPD GSSAPI error: OpenSSL Error: rsa_pk1.c:100: in library:
 rsa routines, function RSA_padding_check_PKCS1_type_1: block type is not 01 
535 FTPD GSSAPI error: failed unwrapping ENC message

Or with lcg-utils:

$ lcg-cp -v --vo ops file:/etc/group gsiftp://some-SE.some-domain/tmp/foo.$$
Source URL: file:/etc/group
File size: 588
Source URL for copy: file:/etc/group
Destination URL: gsiftp://some-SE.some-domain/tmp/foo.6720
# streams: 1
# set timeout to  0 (seconds)
            0 bytes      0.00 KB/sec avg      0.00 KB/sec inst
the server sent an error response: 535 
535-FTPD GSSAPI error: GSS Major Status: General failure
535-FTPD GSSAPI error: GSS Minor Status Error Chain:
535-FTPD GSSAPI error: 
535-FTPD GSSAPI error: unwrap.c:273: gss_unwrap: internal problem with SSL BIO:
 SSL_read rc=-1
535-FTPD GSSAPI error: OpenSSL Error: a_verify.c:109: in library:
 asn1 encoding routines, function ASN1_verify: bad get asn1 object call
535-FTPD GSSAPI error: OpenSSL Error: rsa_eay.c:578: in library:
 rsa routines, function RSA_EAY_PUBLIC_DECRYPT: padding check failed
535-FTPD GSSAPI error: OpenSSL Error: rsa_pk1.c:100: in library:
 rsa routines, function RSA_padding_check_PKCS1_type_1: block type is not 01
535-FTPD GSSAPI error: OpenSSL Error: a_verify.c:109: in library:
 asn1 encoding routines, function ASN1_verify: bad get asn1 object call
535-FTPD GSSAPI error: OpenSSL Error: rsa_sign.c:149: in library:
 rsa routines, function RSA_verify: wrong signature length
535-FTPD GSSAPI error: OpenSSL Error: a_verify.c:109: in library:
 asn1 encoding routines, function ASN1_verify: bad get asn1 object call
535-FTPD GSSAPI error: OpenSSL Error: rsa_eay.c:578: in library:
 rsa routines, function RSA_EAY_PUBLIC_DECRYPT: padding check failed
535-FTPD GSSAPI error: OpenSSL Error: rsa_pk1.c:100: in library:
 rsa routines, function RSA_padding_check_PKCS1_type_1: block type is not 01
535-FTPD GSSAPI error: OpenSSL Error: a_verify.c:109: in library:
 asn1 encoding routines, function ASN1_verify: bad get asn1 object call
535-FTPD GSSAPI error: OpenSSL Error: rsa_sign.c:149: in library:
 rsa routines, function RSA_verify: wrong signature length
535-FTPD GSSAPI error: OpenSSL Error: a_verify.c:109: in library:
 asn1 encoding routines, function ASN1_verify: bad get asn1 object call
535-FTPD GSSAPI error: OpenSSL Error: rsa_sign.c:149: in library:
 rsa routines, function RSA_verify: wrong signature length
535-FTPD GSSAPI error: OpenSSL Error: a_verify.c:109: in library:
 asn1 encoding routines, function ASN1_verify: bad get asn1 object call
535-FTPD GSSAPI error: OpenSSL Error: rsa_eay.c:578: in library:
 rsa routines, function RSA_EAY_PUBLIC_DECRYPT: padding check failed
535-FTPD GSSAPI error: OpenSSL Error: rsa_pk1.c:100: in library:
 rsa routines, function RSA_padding_check_PKCS1_type_1: block type is not 01
535 FTPD GSSAPI error: failed unwrapping MIC message 

lcg_cp: Invalid argument


Diagnosis

With older GridFTP server versions this typically would happen for a VOMS proxy signed by a VOMS server whose current host certificate was not installed on the failing service. The service either closed the connection immediately or injected some unexpected data (e.g. some notice or warning, printed on stderr) into the socket, while the client still expected data for the GSI dialogue.