OK, I looked at the code once again. It seems there is a bug in the logic <br>
when the SAN matches and trustDNS is on. I will investigate but I don&#39;t <br>
see it working the right way as of the moment.<br>
<br>
Andy<br>
<br>
  On Fri, 13 Sep 2019, Brian P Bockelman wrote:<br>
<br>
&gt; Uh, wildcards are definitely supported:<br>
&gt;<br>
&gt; https://github.com/xrootd/xrootd/blob/master/src/XrdCrypto/XrdCryptoX509.cc#L263-L268<br>
&gt;<br>
&gt; The error message here is:<br>
&gt;<br>
&gt;&gt; secgsi: proxy delegation forbidden when trusting DNS!<br>
&gt;<br>
&gt; That is, Xrootd is doing a reverse-DNS lookup at some point (maybe after being redirected? failing something else in the hostname wildcard matching?), which is inherently insecure when it comes to GSI auth.  Hence, the client is cowardly refusing to give their proxy over an insecure connection.<br>
&gt;<br>
&gt; So, why is reverse-DNS being used?<br>
&gt;<br>
&gt; - It could be, as you surmised, due to wildcard failure (i.e., bug in existing implementation).<br>
&gt; - It could be the client code path isn&#39;t providing the X509 level with the right information.<br>
&gt;<br>
&gt; I think we could distinguish between these cases from the client log at full debug.<br>
&gt;<br>
&gt; -- <br>
&gt; You are receiving this because you commented.<br>
&gt; Reply to this email directly or view it on GitHub:<br>
&gt; https://github.com/xrootd/xrootd/issues/1055#issuecomment-531374298<br>


<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">&mdash;<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/xrootd/xrootd/issues/1055?email_source=notifications&amp;email_token=AA7NRDSKJ22PCQ6HRP3QZYTQJQAD3A5CNFSM4IWPZQKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6WHHZQ#issuecomment-531395558">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AA7NRDVNNAS3L6PA7EMNRDLQJQAD3ANCNFSM4IWPZQKA">mute the thread</a>.<img src="https://github.com/notifications/beacon/AA7NRDSNI4YVPCCKJ2EMPRDQJQAD3A5CNFSM4IWPZQKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6WHHZQ.gif" height="1" width="1" alt="" /></p>
<!cript type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/xrootd/xrootd/issues/1055?email_source=notifications\u0026email_token=AA7NRDSKJ22PCQ6HRP3QZYTQJQAD3A5CNFSM4IWPZQKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6WHHZQ#issuecomment-531395558",
"url": "https://github.com/xrootd/xrootd/issues/1055?email_source=notifications\u0026email_token=AA7NRDSKJ22PCQ6HRP3QZYTQJQAD3A5CNFSM4IWPZQKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6WHHZQ#issuecomment-531395558",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>
<br>
<hr>
<p align="left">
Use REPLY-ALL to reply to list</p>
<p align="center">To unsubscribe from the XROOTD-DEV list, click the following link:<br>
<a href="https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1" target="_blank">https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1</a>
</p>