I did some testing with master (bbf477b) and reverting the XrdTlsSocket ERR_clear_error() patch (9d355f6). I'm still seeing error:0906D06C:PEM routines:PEM_read_bio:no start line in the OpenSSL error queue ahead of XrdTls SSL_connect/read/write calls.

I'm suspecting that Tls::ClearErrorQueue() is not always called after GSI calls.
https://github.com/xrootd/xrootd/blob/bbf477b876818485ac9250f97f53464a6a38f6a6/src/XrdCl/XrdClXRootDTransport.cc#L2314-L2320

It turns out that while our servers have TLS configured (serverFlags = 3592421377), our local redirector does not (serverFlags = 3145730).

XrdCl::XRootDTransport::DoAuthentication calls XrdSecProtocolgsi::getCredentials(), but if the server doesn't have TLS flags, the client doesn't call Tls::ClearErrorQueue().

That would explain why this PR seemed to address the issue, since it puts the SSL error clearing further down.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/pull/1465#issuecomment-858011252", "url": "https://github.com/xrootd/xrootd/pull/1465#issuecomment-858011252", "name": "View Pull Request" }, "description": "View this Pull Request on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1