It looks to me that Xavier's case and the case I encountered are different.
If you say, that your host certificate for uct2-xrootd.mwt2.org actually does not have "fax.mwt2.org" as an alternative name in it, then yes, our situations are different - in your case, the error is justified, in my opinion.
It could be, that client tools do a name resolution of the alias and a subsequent reverse lookup of the IP to verify whether that name is mentioned as the subject name in the certificate, possibly? That's the only way how an DNS alias could still work with these grid security regulations.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@XMol in #841: \u003eIt looks to me that Xavier's case and the case I encountered are different.\r\n\r\nIf you say, that your host certificate for uct2-xrootd.mwt2.org actually does _not_ have \"fax.mwt2.org\" as an alternative name in it, then yes, our situations are different - in your case, the error is justified, in my opinion. \r\nIt could be, that client tools do a name resolution of the alias and a subsequent reverse lookup of the IP to verify whether _that_ name is mentioned as the subject name in the certificate, possibly? That's the only way how an DNS alias could still work with these grid security regulations."}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/841#issuecomment-430531797"}}}
[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/xrootd/xrootd/issues/841#issuecomment-430531797",
"url": "https://github.com/xrootd/xrootd/issues/841#issuecomment-430531797",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
},
{
"@type": "MessageCard",
"@context": "http://schema.org/extensions",
"hideOriginalBody": "false",
"originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB",
"title": "Re: [xrootd/xrootd] xrdcopy ignores subject alternative names from the x509 host certificate (#841)",
"sections": [
{
"text": "",
"activityTitle": "**Xavier Mol**",
"activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png",
"activitySubtitle": "@XMol",
"facts": [
]
}
],
"potentialAction": [
{
"name": "Add a comment",
"@type": "ActionCard",
"inputs": [
{
"isMultiLine": true,
"@type": "TextInput",
"id": "IssueComment",
"isRequired": false
}
],
"actions": [
{
"name": "Comment",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 841,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}"
}
]
},
{
"name": "Close issue",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"IssueClose\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 841\n}"
},
{
"targets": [
{
"os": "default",
"uri": "https://github.com/xrootd/xrootd/issues/841#issuecomment-430531797"
}
],
"@type": "OpenUri",
"name": "View on GitHub"
},
{
"name": "Unsubscribe",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 393853216\n}"
}
],
"themeColor": "26292E"
}
]
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
