Hi Wei,
Thanks for you quick answer ;)
> On 14 May 2021, at 21:00, Yang, Wei <[log in to unmask]> wrote:
>
> There are several reasons:
>
> 1. The server or client is pretty old (4.8 and older if I remember correctly). In that case, one side (or both) does not sign the Diffie-Hellman parameters (which is used to estiblish symmetric encryption keys).
The XRootD servers and redirectors at CC-IN2P3 are running 4.12.6-1, so I guess this should be ok...
At the UK site, I don't know yet the version of the client used. I will ask them ;)
> 2. The server host name used by the client is a DNS alias that is not in the server host certificate's SAN entries. I forgot whether this will result in a message like "no delegated credentials for tpc", but it is one of the common reasons that fails the credential delegation.
At CC-IN2P3, the certificate used by the redirectors seems ok to me, e.g.:
Subject: O=GRID-FR, C=FR, O=CNRS, OU=CC-IN2P3, CN=ccxrdrli03.in2p3.fr
X509v3 Subject Alternative Name:
DNS:ccxrdrli03.in2p3.fr, DNS:ccxroot.in2p3.fr
There is no DNS alias for the servers, e.g.:
Subject: O=GRID-FR, C=FR, O=CNRS, OU=CC-IN2P3, CN=ccxrdli283.in2p3.fr
X509v3 Subject Alternative Name:
DNS:ccxrdli283.in2p3.fr
Thanks,
Yvan
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
|