OK, there is definitely a bug in the checking logic but it wouldn&#39;t <br>
explain that message unless the SAN check failed. So, the conclusion is <br>
that there is also a bug in the wildcard checking as well. Time could you<br>
<br>
a) set the envars XrdSecDEBUG and XrdDEBUG to 1.<br>
b) reissue the xrdcp with --tpc delegate only<br>
c) Send the log output to me, and<br>
d) use openssl to display the host&#39;s certificate including the SAN <br>
extension and send hat to me as well.<br>
<br>
In the mean time I will correct the faulty cut-paste SAN checking logic <br>
(yeah, it was a cut-paste error).<br>
<br>
Andy<br>
<br>
<br>
On Fri, 13 Sep 2019, Brian P Bockelman wrote:<br>
<br>
&gt; Uh, wildcards are definitely supported:<br>
&gt;<br>
&gt; https://github.com/xrootd/xrootd/blob/master/src/XrdCrypto/XrdCryptoX509.cc#L263-L268<br>
&gt;<br>
&gt; The error message here is:<br>
&gt;<br>
&gt;&gt; secgsi: proxy delegation forbidden when trusting DNS!<br>
&gt;<br>
&gt; That is, Xrootd is doing a reverse-DNS lookup at some point (maybe after being redirected? failing something else in the hostname wildcard matching?), which is inherently insecure when it comes to GSI auth.  Hence, the client is cowardly refusing to give their proxy over an insecure connection.<br>
&gt;<br>
&gt; So, why is reverse-DNS being used?<br>
&gt;<br>
&gt; - It could be, as you surmised, due to wildcard failure (i.e., bug in existing implementation).<br>
&gt; - It could be the client code path isn&#39;t providing the X509 level with the right information.<br>
&gt;<br>
&gt; I think we could distinguish between these cases from the client log at full debug.<br>
&gt;<br>
&gt; -- <br>
&gt; You are receiving this because you commented.<br>
&gt; Reply to this email directly or view it on GitHub:<br>
&gt; https://github.com/xrootd/xrootd/issues/1055#issuecomment-531374298<br>


<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">&mdash;<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/xrootd/xrootd/issues/1055?email_source=notifications&amp;email_token=AA7NRDQNVF6DRD2L3SFG4UDQJQBUDA5CNFSM4IWPZQKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6WIBAA#issuecomment-531398784">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AA7NRDSOOPOGXS23ISXQP7DQJQBUDANCNFSM4IWPZQKA">mute the thread</a>.<img src="https://github.com/notifications/beacon/AA7NRDUYSGLJ3X2OKIEZTKTQJQBUDA5CNFSM4IWPZQKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6WIBAA.gif" height="1" width="1" alt="" /></p>
<!cript type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/xrootd/xrootd/issues/1055?email_source=notifications\u0026email_token=AA7NRDQNVF6DRD2L3SFG4UDQJQBUDA5CNFSM4IWPZQKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6WIBAA#issuecomment-531398784",
"url": "https://github.com/xrootd/xrootd/issues/1055?email_source=notifications\u0026email_token=AA7NRDQNVF6DRD2L3SFG4UDQJQBUDA5CNFSM4IWPZQKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6WIBAA#issuecomment-531398784",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>
<br>
<hr>
<p align="left">
Use REPLY-ALL to reply to list</p>
<p align="center">To unsubscribe from the XROOTD-DEV list, click the following link:<br>
<a href="https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1" target="_blank">https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1</a>
</p>