This ticket is caused because the session cache is not disabled in
XrdHttp
.XrdLCMAPS
does this when it is loaded.#750 is caused because the
SSL_CTX
object is loaded at initialization byXrdHttp
and a correspondingX509_STORE
is never refreshed. TheX509_STORE
pointer is passed fromXrdHttp
to the VOMS library and things blow up when VOMS attempts the CRL check (note the error message from #750 is fromlibvomsapi
, not OpenSSL).XrdLCMAPS
isn't affected because it doesn't useXrdHttp
'sX509_STORE
object periodically reloads itsX509_STORE
objects every 10 minutes (it also gets a bit clever in that is hashes the activity over 63 copies of the cert store so multiple threads don't have to share a single global mutex).
On the first point, I think the main thing is that XrdHTTP
should probably ensure the session handling works as expected. Whether that is "solved" by disabling it, or by fixing it in some way as @ffurano proposed, the plugins should be able to access the SSL chain for a client with a verified connection. Modifying SSL_CTX
at the plugin level (as XrdLCMAPS
does it) will of course also fix things, but does not seem right.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1