Save remote host's cert chain in client-side session ad

Description

We got a request from the EGI monitoring team for a way to remotely validate an HTCondor-CE's host cert (https://crt.cs.wisc.edu/rt/Ticket/Display.html?id=100742). This doesn't appear to be currently possible so BrianB suggested that we add code to this function (https://github.com/htcondor/htcondor/blob/master/src/condor_io/condor_auth_ssl.cpp#L1060) to save the remote host's cert chain in PEM format into the client-side session ad. This should make the cert chain available to the Python bindings through SecMan.ping().

From https://htcondor-wiki.cs.wisc.edu/index.cgi/tktview?tn=7679,4

Activity

Show:
Brian Bockelman
March 3, 2021, 10:47 PM

Just because it took too long to pull this into cache, here’s an example use:

Zach Miller
February 26, 2021, 6:59 PM

CODE REVIEW: Looks Good. Needs version history/docs.

Tim Theisen
January 6, 2021, 3:59 PM

Fair enough. Retargetting to the devel series.

Brian Lin
January 6, 2021, 3:46 PM

as I understand it, it’s just the client that has to contain these changes, so we don’t have to worry about older versions out in the OSG-wild as much.

Tim Theisen
January 6, 2021, 3:35 PM

Given that OSG will support HTCondor 8.8 as part of OSG 3.5 for some time. I strongly prefer backporting this change to stable. It looks like an easy backport.

Time remaining

0m

Assignee

Zach Miller