Hi Derek,
Frankly, if you don't apply security for the redirector (which most places
do not) there is no reason to use TLS. If you do apply security, thinnk
what harm migh occur in a MIM attack or somebody snooping on the
connection. Likely, it's a very low risk. If you are comfortable with
that risk, then there is no reason to enable TLS for a redirector.
Otherwise, yes, you would use xroots but at the moment there is no
fallback so if the redirector doesn't talk TLS you will fail which,
frankly, in the https world is common practice. Please note that if he
redirector sends you off to a server that needs TLS then you will
automatically get TLS no matter what. Same for the redirector if it
requires TLS you will get it. That allows you to keep the config file as
is and get TLS when it is required.
Andy
On Tue, 28 Apr 2020, Derek Weitzel wrote:
> Just some TLS deployment questions:
>
> - Do the redirectors also need to be TLS enabled? I presume yes. For caching, the pss.origin should list the redirector like?:
> pss.origin xroots://redirector.example.com
>
> - When the origin is a redirector, does the cache then connect to the data server with TLS?
>
> - Can the redirector run both non-TLS and TLS at the same time? Is that on the same port?
>
> - Derek
>
> ########################################################################
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
|