Hi, in my xrootd-dataserver v4.11.3, I have an inconsistent handling of x509 authentication. The inconsistency is, that the first three xrdcp attempt are handled successfully (see [1]), while the following attempts get a failed authentication (see [2]). In addition, once there has not been a request in a while, three attempts are again able to pass successfully. The service was not restarted. This was reproduced multiple times with xrootd v4.11.3. [1] This is the log in a successful authentication case: ``` 200514 16:00:52 15437 secgsi_Authenticate: VOMS: Entity.endorsements: /escape/Role=NULL/Capability=NULL,/escape/fair/Role=NULL/Capability=NULL INFO in AuthzKey: Returning '/C=DE/O=GermanGrid/OU=GSI/CN=Paul-Niklas Kramp::escape:/escape,/escape/fair,::' of length 78 as key. 200514 16:00:52 15437 pkramp.15543:40@dclxwp2dlds1 XrootdResponse: 0000 sending OK ``` [2] And this if it fails: ``` 200514 16:01:00 15413 secgsi_Authenticate: VOMS: Entity.endorsements: /escape/Role=NULL/Capability=NULL,/escape/fair/Role=NULL/Capability=NULL Failed to validate credentials. Globus error: globus_credential: Error verifying credential: Failed to verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Invalid CRL: Couldn't verify that the available CRL is valid OpenSSL Error: pem_lib.c:707: in library: PEM routines, function PEM_read_bio: no start line Expecting: ANY PRIVATE KEY Globus chain verification failure. ERROR in AuthzKey: Key verification failed. 200514 16:01:00 15413 secgsi_Authenticate: ERROR: unable to get the key associated to this user ``` The part of the config, tested with crl:0 and crl:1: ``` xrootd.seclib /usr/lib64/libXrdSec-4.so sec.protocol /usr/lib64 gsi \ -certdir:/etc/grid-security/certificates/ \ -cert:/etc/grid-security/xrd//cert_31408_dclxwp2dlds1.gsi.de.pem \ -key:/etc/grid-security/xrd//privKey_31408_dclxwp2dlds1.gsi.de.pem \ -crl:1 \ -authzfun:libXrdLcmaps.so \ -authzfunparms:lcmapscfg=/etc/lcmaps.db,loglevel=5,policy=authorize_only \ -gmapopt:10 \ -gmapto:0 acc.authdb /etc/xrootd/auth_file ofs.authorize ``` I wonder why I get a crl related error, with the config options 0 or 1. Any ideas why it is behaving inconsistent? Cheers, Paul -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1197 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1