Firewall issue connecting to DIRAC client

[arrabito]

Dear all,

We have CTA users from a particular institute in France that are not able to use the dirac client because of the firewall rules at their institute.
They get something like this at the configuration step:

dirac-configure defaults-CTA.cfg
WARNING: Parsing of '.cfg' files as command line arguments is changing!
          Set the environment variable 'export DIRAC_NO_CFG=1' to pass the file as a positional
          argument (this will become the default).
          To modify the local configuration use '--cfg <configfile>' instead.
Executing: /home/sizun/local_sw/CTA/DIRAC/20210708/pro/DIRAC/Core/scripts/dirac_configure.py defaults-CTA.cfg 
Checking DIRAC installation at "/home/sizun/local_sw/CTA/DIRAC/20210708/versions/v1r64p1_1625727505"
Could not sync dir Cannot get URL for Framework/BundleDelivery in setup CTA: RuntimeError('Option /DIRAC/Setups/CTA/Framework is not defined',)

After some investigations their admins found that at least one packet to ccdcta-server04.in2p3.fr:9135 (which is one of our DIRAC servers) was blocked because it was identified as a memory corruption vulnerability, see:

We were referred to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5334 and asked which version if any of GnuTLS is used on the client and server sides.

Also I've been asked if our servers are exposed to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5334

Personally, I have no idea, but I've asked informations to the admins at CC-IN2P3, where our servers are hosted.

Do you have any idea about this issue?

Any help would be very much appreciated.

Cheers,

Luisa

[chaen]

Hi Luisa,
we don't use GnuTLS, so we shouldn't be vunerable to that

[marianne013]

See, if that had been on google groups, I would have seen it :-P
To quote Simon F (from January 2020):
"As far as I can remember the less common client certificate flags in
the SSL handshake used by grid software occasionally causes the traffic to
be flagged as weird/old versions of the SSL libraries when it isn't really."