@abh3 - The offending part is that the session cache is not disabled; that is, `XrdHttp` is missing the following lines: https://github.com/opensciencegrid/xrootd-lcmaps/blob/master/src/XrdHttpLcmaps.cc#L361-L365 If the session cache is used (it's use is not typically triggered by davix but it is by gfal) to start a new SSL connection, then the client certificate chain is not associated to the session upon reuse. OpenSSL does *not* cache the certificate chain information for you in the cache (you'd have to keep in memory the certificate chain for every connection that had been made over SSL) - that's left as an exercise to the user. Because the session cache is used and the cert chain is not available to OpenSSL, `XrdHttp` ends up with this debug message when it asks for the peer chain: ``` 200412 22:56:48 24985 eyermuth.0:[log in to unmask] SSL_get_peer_cert_chain :0 ``` That is, the peer chain provided by OpenSSL is a `nullptr` and the client cannot be mapped by the security extractor module. Accordingly, the username is set to random user-controlled gobbledy-gook: ``` 200412 22:56:48 24985 acc_Audit: http deny Oliver Freyermuth@[::ffff:188.184.98.75] stat /cephfs/grid/dteam/of_1M_9 ``` instead of the DN in Oliver's case: ``` 200412 22:56:48 24968 acc_Audit: http grant /C=DE/O=GermanGrid/OU=UniBonn/CN=Oliver Freyermuth@[::ffff:188.184.98.75] stat /cephfs/grid/dteam/of_1M_9 ``` Brian (@esindril - while you're also correct about CRLs, I'm not addressing it here because it really belongs to #750...) -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1177#issuecomment-613435662 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1