I think the issue here is that in GSI the stack_of(x509) is not used.
Instead, raw or pem certs are fed into VomsFun and it creates the
stack_of(x509). In the HTTP case we don't have access to raw or pem certs
and instead ask OpenSSL to supply the stack_of(x509). It would seem that
OpenSSL doesn't know (and probably shouldn't know) how to deal with
non-RFC compliant certs.
Frankly, we can't keep doing the backward non-standards compliant
compatibility route for this kind of stuff. If you want to use HTTP then
you *really* need to use the standards compliant stuff otherwise why do
you even want to use HTTP in the first place, just for window dressing?
On Sat, 11 Jul 2020, Oliver Freyermuth wrote:
> Note that connections via the XRootD protocol, using the configuration:
> ```
> sec.protocol /usr/lib64 gsi -dlgpxy:1 -exppxy:=creds -ca:1 -crl:3 -gridmap:/dev/null -cert:/etc/grid-security/hostcert.pem -key:/etc/grid-security/hostkey.pem -certdir:/etc/grid-security/certificates -vomsfun:/usr/lib64/libXrdVoms.so -vomsfunparms:certfmt=raw|grpopt=useall|vos=atlas,ops,dteam,wlcg|grps=/atlas,/atlas/de,/ops,/dteam,/wlcg|dbg
> ```
> on the same system still accept old (non-RFC) proxies.
>
> --
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly or view it on GitHub:
> https://github.com/xrootd/xrootd/issues/1247#issuecomment-657097185
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/xrootd/xrootd/issues/1247#issuecomment-657356483",
"url": "https://github.com/xrootd/xrootd/issues/1247#issuecomment-657356483",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1