Follow-up Comment #4, sr #124285 (project xrootd):
Catalin -
Can you test if the -crl:2 level is acceptable for FNAL?
Gerri -
I realized I left a sentence incomplete in my previous comment. The new IGTF
format has three entries per CA in the certificates directory. One is
human-readable and ends in ".pem", one uses the OpenSSL 0.9.x hashing scheme
and ends in ".0", and the third uses the OpenSSL 1.0 hashing scheme and also
ends in ".0". fetch-crl pulls in CRLs *only* for the version of OpenSSL
found on the system.
Could we do something similar in Xrootd? I.e., check that the hash of the
read CA matches the hash from the current version of OpenSSL; if it doesn't,
ignore it.
If you'd like to see an example of how this layout works, you can find the
latest OSG CA cert RPM here:
https://koji-hub.batlab.org/koji/buildinfo?buildID=659
_______________________________________________________
Reply to this item at:
<http://savannah.cern.ch/support/?124285>
_______________________________________________
Message sent via/by LCG Savannah
http://savannah.cern.ch/
