@abh3 Quoting @bbockelm :

This ticket is caused because the session cache is not disabled in XrdHttp. XrdLCMAPS does this when it is loaded.

#750 is caused because the SSL_CTX object is loaded at initialization by XrdHttp and a corresponding X509_STORE is never refreshed. The X509_STORE pointer is passed from XrdHttp to the VOMS library and things blow up when VOMS attempts the CRL check (note the error message from #750 is from libvomsapi, not OpenSSL). XrdLCMAPS isn't affected because it doesn't use XrdHttp's X509_STORE object periodically reloads its X509_STORE objects every 10 minutes (it also gets a bit clever in that is hashes the activity over 63 copies of the cert store so multiple threads don't have to share a single global mutex).

On the first point, I think the main thing is that XrdHTTP should probably ensure the session handling works as expected. Whether that is "solved" by disabling it, or by fixing it in some way as @ffurano proposed, the plugins should be able to access the SSL chain for a client with a verified connection. Modifying SSL_CTX at the plugin level (as XrdLCMAPS does it) will of course also fix things, but does not seem right.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1177#issuecomment-613328225", "url": "https://github.com/xrootd/xrootd/issues/1177#issuecomment-613328225", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1