Hello,
while testing XRootD HEAD (compiles as of July 13th, 2020) I notice some issues wrt HTTP requests, both CURL (using Tokens) and davix-get -P grid (using 2 different certificates).

Starting with the latter (davix), the XCache is configured using:

/afs/cern.ch/user/r/rdimaria/public/Authfile-testing
/afs/cern.ch/user/r/rdimaria/public/xrootd-xcache.cfg-testing

I am using an ESCAPE VO cert, meaning, in my case, 3 attributes in the VO extension.
When trying to read data open to everyone:

I get: (Davix::HttpRequest) Error: Result Impossible to get the new redirected destination after 3 attempts
and the only thing I can spot from the logs (/afs/cern.ch/user/r/rdimaria/public/xrootd.log-xrootdticket-davix_escape) is 140654623500032:error:140D9115:SSL routines:ssl_get_prev_session:session id context uninitialized:ssl_sess.c:682:.

Commenting out the http.secretkey directive in the XCache cfg, the same request results in success (clean log at /afs/cern.ch/user/r/rdimaria/public/xrootd.log-xrootdticket-davix_escape-nosecretkey).
However, it seems that xrootd gets restarted after having fetched the file.

If I now request the same file using a CMS proxy, in my case meaning having only the default attribute in the VO extension,
the request succeeds with the http.secretkey directive in the XCache cfg (/afs/cern.ch/user/r/rdimaria/public/xrootd.log-xrootdticket-davix_cms).

Moving to CURL, the XCache is still configured using:

/afs/cern.ch/user/r/rdimaria/public/Authfile-testing
/afs/cern.ch/user/r/rdimaria/public/xrootd-xcache.cfg-testing

The token I am using is only able to read CMS data.
When trying to make the following request:

I get: curl: (52) NSS: client certificate not found (nickname not specified)
and the only thing I can spot from the logs (/afs/cern.ch/user/r/rdimaria/public/xrootd.log-xrootdticket-curl) is 200713 15:29:00 18515 anon.0:31@lxplus783 sysXrdHttp: Rejecting plain http with no valid token as we have a secretkey..

Commenting out the http.secretkey directive in the XCache cfg, the same request results in success (clean log at /afs/cern.ch/user/r/rdimaria/public/xrootd.log-xrootdticket-curl-nosecretkey).

IMPORTANT: AFAICT, even though I should perform more in-depth checks, this issue with CURL and davix requests affects also the "production" environment, meaning using 4.12 series (.2 and .3).

Please let me know if you need anything else from me.

Best,
Riccardo

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1251", "url": "https://github.com/xrootd/xrootd/issues/1251", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1