Uh, wildcards are definitely supported:

https://github.com/xrootd/xrootd/blob/master/src/XrdCrypto/XrdCryptoX509.cc#L263-L268

The error message here is:

secgsi: proxy delegation forbidden when trusting DNS!

That is, Xrootd is doing a reverse-DNS lookup at some point (maybe after being redirected? failing something else in the hostname wildcard matching?), which is inherently insecure when it comes to GSI auth. Hence, the client is cowardly refusing to give their proxy over an insecure connection.

So, why is reverse-DNS being used?

It could be, as you surmised, due to wildcard failure (i.e., bug in existing implementation).
It could be the client code path isn't providing the X509 level with the right information.

I think we could distinguish between these cases from the client log at full debug.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1055?email_source=notifications\u0026email_token=AA7NRDTXTHX66DT5FUE7RJ3QJPXLHA5CNFSM4IWPZQKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6WCBWQ#issuecomment-531374298", "url": "https://github.com/xrootd/xrootd/issues/1055?email_source=notifications\u0026email_token=AA7NRDTXTHX66DT5FUE7RJ3QJPXLHA5CNFSM4IWPZQKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6WCBWQ#issuecomment-531374298", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1