I did some testing with master (bbf477b8) and reverting the XrdTlsSocket ERR_clear_error() patch (9d355f6e). I'm still seeing `error:0906D06C:PEM routines:PEM_read_bio:no start line` in the OpenSSL error queue ahead of XrdTls SSL_connect/read/write calls. I'm suspecting that `Tls::ClearErrorQueue()` is not always called after GSI calls. https://github.com/xrootd/xrootd/blob/bbf477b876818485ac9250f97f53464a6a38f6a6/src/XrdCl/XrdClXRootDTransport.cc#L2314-L2320 It turns out that while our servers have TLS configured (serverFlags = 3592421377), our local redirector does *not* (serverFlags = 3145730). `XrdCl::XRootDTransport::DoAuthentication` calls `XrdSecProtocolgsi::getCredentials()`, but if the server doesn't have TLS flags, the client doesn't call `Tls::ClearErrorQueue()`. That would explain why this PR seemed to address the issue, since it puts the SSL error clearing further down. -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/pull/1465#issuecomment-858011252 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1