 |
 |
I think the issue here is that in GSI the stack_of(x509) is not used. Instead, raw or pem certs are fed into VomsFun and it creates the stack_of(x509). In the HTTP case we don't have access to raw or pem certs and instead ask OpenSSL to supply the stack_of(x509). It would seem that OpenSSL doesn't know (and probably shouldn't know) how to deal with non-RFC compliant certs. Frankly, we can't keep doing the backward non-standards compliant compatibility route for this kind of stuff. If you want to use HTTP then you *really* need to use the standards compliant stuff otherwise why do you even want to use HTTP in the first place, just for window dressing? On Sat, 11 Jul 2020, Oliver Freyermuth wrote: > Note that connections via the XRootD protocol, using the configuration: > ``` > sec.protocol /usr/lib64 gsi -dlgpxy:1 -exppxy:=creds -ca:1 -crl:3 -gridmap:/dev/null -cert:/etc/grid-security/hostcert.pem -key:/etc/grid-security/hostkey.pem -certdir:/etc/grid-security/certificates -vomsfun:/usr/lib64/libXrdVoms.so -vomsfunparms:certfmt=raw|grpopt=useall|vos=atlas,ops,dteam,wlcg|grps=/atlas,/atlas/de,/ops,/dteam,/wlcg|dbg > ``` > on the same system still accept old (non-RFC) proxies. > > -- > You are receiving this because you are subscribed to this thread. > Reply to this email directly or view it on GitHub: > https://github.com/xrootd/xrootd/issues/1247#issuecomment-657097185 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1247#issuecomment-657356483 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1