 |
 |
Hi all, I'm trying to use sec.protocol gsi with the server certificate signed by a self-signed CA for testing purposes, however I'm having trouble getting the server to start. 3.1 hanged on some operation with XrdSutCache while starting, updating to 3.2.2 fixed the issue. Now the server fails to start with the error "failed to initialized CRL for issuing CA" in XrdSecProtocolgsi::GetCA. Setting "crl:0" did not help. I did create an empty crl to see if it resolved it, but it seems the problem lies elsewhere. I looked into the source and found the following. In XrdSecProtocolgsi::GetCA neither "CRL is expired" nor "CRL is missing" messages are displayed in my case, but the return value is obviously 2 (because the CRL error is displayed). So the variable ok = 0. That probably means verified = 0. This brings me to the first problem: shouldn't the message when CA verification fails be different from when CRL fails to initialize? Looking into XrdSecProtocolgsi::VerifyCA, I found another problem: if CA is self-signed and CACheck = 0, CA is not checked, but the variable "verified" is never set either and remains 0. Which means when option ca:0 is used, self-signed CA is rejected outright. Is it the intended behavior? I set ca:1, but nothing changed in the server output. Third problem: the certificate chain verification functions don't seem to produce any debugging output so I don't know what the actual problem with my CA certificate is. I think I'll try using a certificate from a "real" CA instead. But I wanted to report these possible problems so that they can be resolved in the future versions. Thanks. Ivan Kadochnikov ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1