Print

Print

@abh3 - to be clear, I only hooked up the XrdTpc pieces. Here's the relevant locations:

If we want to do the same thing for the other consumers of XrdTls, we'd need something that controls lifetime -- for XrdTpc, this is self-container because we know the libcurl handle will last precisely no longer than the synchronous function call. XrdHttp could, for example, have a static shared_ptr that is updated from a common XrdTlsTempCA object every hour. Do be careful about lifetime restrictions: if the shared pointer ever falls out of scope, then it's possible the OS will clean up the CA/CRL files.

For the configuration language -- this is essential for at least the NSS backend, so I hadn't planned to expose it as an option. I can see that it really should be an option for other users of XrdTls (where NSS isn't as problematic!).

I like this variant you suggest:

xrd.tlsca noverify | {certdir | certfile [auto]} path

Note in the current implementation the auto-generated CA file only works with the certdir and is superseded by certfile if set. Do you think we should do this regardless for XrdTpc, even if not explicitly requested?


You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/pull/1431#issuecomment-811614412", "url": "https://github.com/xrootd/xrootd/pull/1431#issuecomment-811614412", "name": "View Pull Request" }, "description": "View this Pull Request on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1