 |
 |
The feature was untouched. The only "touching" was turning off the OpenSSL connection cache (if you recall the heated discussion on that). It would appear that is what broke the feature but only in certain cases. So, we don't understand the problem but of course, if you could, look into it! The R4 version is as is so there should be no need to worry about that but likely needs veriification. On Tue, 14 Jul 2020, xrootd-dev wrote: > Hi Brian, > > the redirect to HTTP feature is used heavily in the DPM core, > and my last measurements at the time were giving a 4-5 times difference > in the metadata rate by enabling it for the internal control channels. > > About it being questionable... I don't know, it does what it does > and it's documented since years. > > This to tell that it's very important that the feature was not broken > in recent releases. Was this touched only for xrootd 5 or shall > DPM sites be worried also for xrootd 4? > > Thanks > Fabrizio > > > On 14.07.20 15:50, Brian P Bockelman wrote: >> Hi @riccardodimaria <https://github.com/riccardodimaria>! >> >> I'm fairly unfamiliar with this feature but would recommend against >> using it - you lose integrity checks and the cost for encryption is >> fairly minimal (it's in-hardware these days). >> >> Could you post the output of |curl| with the |-v| option? That should >> dump the headers to stderr and illuminate the situation. Particularly, >> your redirected URL should contain a |xrdhttptk|. You can redact the >> secrets in the output - I'm just looking for the presence of headers. >> >> Also to verify - modern versions of |curl| are supposed to drop the >> |Authorization| header on redirect for obvious security reasons. >> >> Finally: >> >> since here was no cert, no "opaque" token was generated >> >> The opaque token is not generated from the certificate but rather from >> the |XrdSecEntity| object. The code appears to do some questionable >> items such as dump the credentials unencrypted into the URL. I don't >> understand that but it was done in 581b26b >> <https://github.com/xrootd/xrootd/commit/581b26b207a686988eea32dda65e9e7aa97a2d3a> >> by @ffurano <https://github.com/ffurano> so he might have some insight. >> >> Brian >> >> ? >> You are receiving this because you are subscribed to this thread. >> Reply to this email directly, view it on GitHub >> <https://github.com/xrootd/xrootd/issues/1251#issuecomment-658191232>, >> or unsubscribe >> <https://github.com/notifications/unsubscribe-auth/AA7NRDXIAGYU6WOOWBCDU63R3RPCRANCNFSM4OYPYKGA>. >> >> >> ------------------------------------------------------------------------ >> >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-DEV list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1 >> > > > > > -- > You are receiving this because you commented. > Reply to this email directly or view it on GitHub: > https://github.com/xrootd/xrootd/issues/1251#issuecomment-658202204 -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1251#issuecomment-658543735 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1