Hi Wei, Thanks for you quick answer ;) > On 14 May 2021, at 21:00, Yang, Wei <[log in to unmask]> wrote: > > There are several reasons: > > 1. The server or client is pretty old (4.8 and older if I remember correctly). In that case, one side (or both) does not sign the Diffie-Hellman parameters (which is used to estiblish symmetric encryption keys). The XRootD servers and redirectors at CC-IN2P3 are running 4.12.6-1, so I guess this should be ok... At the UK site, I don't know yet the version of the client used. I will ask them ;) > 2. The server host name used by the client is a DNS alias that is not in the server host certificate's SAN entries. I forgot whether this will result in a message like "no delegated credentials for tpc", but it is one of the common reasons that fails the credential delegation. At CC-IN2P3, the certificate used by the redirectors seems ok to me, e.g.: Subject: O=GRID-FR, C=FR, O=CNRS, OU=CC-IN2P3, CN=ccxrdrli03.in2p3.fr X509v3 Subject Alternative Name: DNS:ccxrdrli03.in2p3.fr, DNS:ccxroot.in2p3.fr There is no DNS alias for the servers, e.g.: Subject: O=GRID-FR, C=FR, O=CNRS, OU=CC-IN2P3, CN=ccxrdli283.in2p3.fr X509v3 Subject Alternative Name: DNS:ccxrdli283.in2p3.fr Thanks, Yvan ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1