Using either XRootD 4.12.3 or XRootD 5.0.0 with the line: ``` http.secxtractor /usr/lib64/libXrdVoms.so ``` I observe the following behaviour when accesing it via WebDAVs: ``` $ voms-proxy-init3 -voms atlas -old $ curl -vvL --capath /etc/grid-security/certificates --cacert $X509_USER_PROXY --cert $X509_USER_PROXY "https://the-host.example.com/some/path [...] * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS alert, unknown CA (560): * error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca * Closing connection 0 curl: (35) error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca ``` In the server logs, I find: ``` 200710 16:59:06 2474471 XrdTLS: CertVerify: Cert verification failed for DN=/C=DE/O=GermanGrid/redacted/CN=proxy 200710 16:59:06 2474471 XrdTLS: CertVerify: Failing cert issuer=/C=DE/O=GermanGrid/OU=redacted 200710 16:59:06 2474471 XrdTLS: CertVerify Error 20 at depth 0 [unable to get local issuer certificate] 139757501679360:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3327: ``` I do not observe this when: - Using an RFC proxy (`voms-proxy-init3 -voms atlas -rfc`). - Using the old secxtractor (`/usr/lib64/libXrdHttpVOMS.so`). Note I only tested the latter with 4.12.3. Is it expected that the old-style VOMS proxies are not supported anymore? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1247 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1