I did some testing with master (bbf477b) and reverting the XrdTlsSocket ERR_clear_error() patch (9d355f6). I'm still seeing error:0906D06C:PEM routines:PEM_read_bio:no start line
in the OpenSSL error queue ahead of XrdTls SSL_connect/read/write calls.
I'm suspecting that Tls::ClearErrorQueue()
is not always called after GSI calls.
https://github.com/xrootd/xrootd/blob/bbf477b876818485ac9250f97f53464a6a38f6a6/src/XrdCl/XrdClXRootDTransport.cc#L2314-L2320
It turns out that while our servers have TLS configured (serverFlags = 3592421377), our local redirector does not (serverFlags = 3145730).
XrdCl::XRootDTransport::DoAuthentication
calls XrdSecProtocolgsi::getCredentials()
, but if the server doesn't have TLS flags, the client doesn't call Tls::ClearErrorQueue()
.
That would explain why this PR seemed to address the issue, since it puts the SSL error clearing further down.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1