LISTSERV 16.5 - XROOTD-DEV Archives

Hi Brian,

Well, “solve” is a strong word, could you please tell me what magic HTTP and GridFTP used to actually solve it in the context of HEP? URL’s to the solution would help.

Andy

From: Brian P Bockelman
Sent: Thursday, October 18, 2018 6:09 AM
To: xrootd/xrootd
Cc: Andrew Hanushevsky ; State change
Subject: Re: [xrootd/xrootd] xrdcopy ignores subject alternative names from the x509 host certificate (#841)

One addendum:

I must admit that the whole notion of not trusting DNS generally breaks many x509 features (at least in the way certs are issued today).

We should make it clear that this is only true in the Xrootd context. HTTP solved this issue a few years back and GridFTP stopped relying on DNS in 2016 or 2017 (can't recall).

We now have isolated the use of DNS for resolution to explicit fallback code. We have the ability to issue a warning for these cases (perhaps notifying that the configuration is deprecated and may be removed in the future).

In my testing, there's only a handful of endpoints and implementations that are affected (biggest one is EOS) as admins have to include SANs for other protocols they configure (which is why Xavier filed the ticket in the first place...).

—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or mute the thread.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@abh3 in #841: Hi Brian,\n\nWell, “solve” is a strong word, could you please tell me what magic HTTP and GridFTP used to actually solve it in the context of HEP? URL’s to the solution would help.\n\nAndy\n\nFrom: Brian P Bockelman \nSent: Thursday, October 18, 2018 6:09 AM\nTo: xrootd/xrootd \nCc: Andrew Hanushevsky ; State change \nSubject: Re: [xrootd/xrootd] xrdcopy ignores subject alternative names from the x509 host certificate (#841)\n\nOne addendum:\n\n I must admit that the whole notion of not trusting DNS generally breaks many x509 features (at least in the way certs are issued today).\n\nWe should make it clear that this is only true in the Xrootd context. HTTP solved this issue a few years back and GridFTP stopped relying on DNS in 2016 or 2017 (can't recall).\n\nWe now have isolated the use of DNS for resolution to explicit fallback code. We have the ability to issue a warning for these cases (perhaps notifying that the configuration is deprecated and may be removed in the future).\n\nIn my testing, there's only a handful of endpoints and implementations that are affected (biggest one is EOS) as admins have to include SANs for other protocols they configure (which is why Xavier filed the ticket in the first place...).\n\n—\nYou are receiving this because you modified the open/close state.\nReply to this email directly, view it on GitHub, or mute the thread.\n"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/841#issuecomment-431168106"}}} [ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/841#issuecomment-431168106", "url": "https://github.com/xrootd/xrootd/issues/841#issuecomment-431168106", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } }, { "@type": "MessageCard", "@context": "http://schema.org/extensions", "hideOriginalBody": "false", "originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB", "title": "Re: [xrootd/xrootd] xrdcopy ignores subject alternative names from the x509 host certificate (#841)", "sections": [ { "text": "", "activityTitle": "**Andrew Hanushevsky**", "activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png", "activitySubtitle": "@abh3", "facts": [ ] } ], "potentialAction": [ { "name": "Add a comment", "@type": "ActionCard", "inputs": [ { "isMultiLine": true, "@type": "TextInput", "id": "IssueComment", "isRequired": false } ], "actions": [ { "name": "Comment", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 841,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}" } ] }, { "targets": [ { "os": "default", "uri": "https://github.com/xrootd/xrootd/issues/841#issuecomment-431168106" } ], "@type": "OpenUri", "name": "View on GitHub" }, { "name": "Unsubscribe", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 393853216\n}" } ], "themeColor": "26292E" } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1