LISTSERV 16.5 - XROOTD-DEV Archives

One addendum:

I must admit that the whole notion of not trusting DNS generally breaks many x509 features (at least in the way certs are issued today).

We should make it clear that this is only true in the Xrootd context. HTTP solved this issue a few years back and GridFTP stopped relying on DNS in 2016 or 2017 (can't recall).

We now have isolated the use of DNS for resolution to explicit fallback code. We have the ability to issue a warning for these cases (perhaps notifying that the configuration is deprecated and may be removed in the future).

In my testing, there's only a handful of endpoints and implementations that are affected (biggest one is EOS) as admins have to include SANs for other protocols they configure (which is why Xavier filed the ticket in the first place...).

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@bbockelm in #841: One addendum:\r\n\r\n\u003e I must admit that the whole notion of not trusting DNS generally breaks many x509 features (at least in the way certs are issued today).\r\n\r\nWe should make it clear that this is only true in the Xrootd context. HTTP solved this issue a few years back and GridFTP stopped relying on DNS in 2016 or 2017 (can't recall).\r\n\r\nWe now have isolated the use of DNS for resolution to explicit fallback code. We have the ability to issue a warning for these cases (perhaps notifying that the configuration is deprecated and may be removed in the future).\r\n\r\nIn my testing, there's only a handful of endpoints and implementations that are affected (biggest one is EOS) as admins have to include SANs for other protocols they configure (which is why Xavier filed the ticket in the first place...)."}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/841#issuecomment-431001907"}}} [ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/841#issuecomment-431001907", "url": "https://github.com/xrootd/xrootd/issues/841#issuecomment-431001907", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } }, { "@type": "MessageCard", "@context": "http://schema.org/extensions", "hideOriginalBody": "false", "originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB", "title": "Re: [xrootd/xrootd] xrdcopy ignores subject alternative names from the x509 host certificate (#841)", "sections": [ { "text": "", "activityTitle": "**Brian P Bockelman**", "activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png", "activitySubtitle": "@bbockelm", "facts": [ ] } ], "potentialAction": [ { "name": "Add a comment", "@type": "ActionCard", "inputs": [ { "isMultiLine": true, "@type": "TextInput", "id": "IssueComment", "isRequired": false } ], "actions": [ { "name": "Comment", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 841,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}" } ] }, { "targets": [ { "os": "default", "uri": "https://github.com/xrootd/xrootd/issues/841#issuecomment-431001907" } ], "@type": "OpenUri", "name": "View on GitHub" }, { "name": "Unsubscribe", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 393853216\n}" } ], "themeColor": "26292E" } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1