LISTSERV 16.5 - XROOTD-DEV Archives

So, here is what I found:
1) While the tlsreuse directive was added no code ever tests the setting. That means the session cache is always enabled in R5, as it supposedly is in R4. So, no need to run two R5 tests until that gets fixed.
2) The failures in R5 are not consistent. The first "login" received a 3 extension cert (presumably the peer cert) followed by a 9 extension cert (presumably the cert chain). Some number of subsequent logins only receive the 3 extension cert and this is followed by an EEC failure. Then the whole thing recovers and you get the correct sequence. Then another failure. R4 does not exhibit this behavior.
3) There is not much difference between the R4 and R5 code paths. The one major difference is that R5 tests for refcount failure while R4 does not. That's a major oversight in R4 though one highly unlikely to ever cause a problem.

So, it would seem there is some strange interaction between davix and getting redirected to R5 or R4 server which would indicate there really is some fine difference we don't understand. So, let's nail down some more things:
a) What version is the redirector?
b) What OpenSSL version is being used by the R5 server vs the R4 server? The easiest way to find out is to do an lsof on each running program and looking to see what OpenSSL library is open. If they are different maybe that is the issue. Please note that if R4 is using OpenSSl version < 1.02, elliptic ciphers are not enabled.

So, relative to (b) you can test the hypothesis that it's the elliptic ciphers that are causing the problem by including the directive in the R5 server:
http.cipherfilter ALL:!LOW:!EXP:!MD5:!MD2

In the end I need to fix the tlsreuse option and instrument the whole thing to produce better messages. I can do that but it would mean you would need to run from source. Is that OK with you?

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/1276#issuecomment-685311395

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1