Adding support for pure cert/key authentication.
Client controls this mode via XrdSecGSICREATEPROXY:
1. If XrdSecGSICREATEPROXY=1 (default), a proxy is auto-generated from the cert/key pair if one is not found.
2. If XrdSecGSICREATEPROXY=0, a proxy is used if present. Otherwise, the cert/key pair is used if present (no proxy).
This is mostly meant, on the server side, for pass-less authentication, possible when the key file is pass-less.
NB1: if the key-file is pass-less and XrdSecGSICREATEPROXY = 1 (default) authentication still works with the usual protocol, i.e. creating a proxy and using that for the handshake. Setting XrdSecGSICREATEPROXY = 0 avoids those additional steps.
NB2: Forward / backward compatibility is obtained by enabling the cert/pair mechanism only for versions supporting it
You can view, comment on, or merge this pull request online at:
https://github.com/xrootd/xrootd/pull/1561
-- Commit Summary --
* Add support for reading the private key from a separate file
* Add support for pure cert/key authentication (no proxy)
* Reverse logic, 'no proxy' to 'create proxy' (see comments to PR#1493)
* Increase version and add version check
-- File Changes --
M src/XrdCrypto/XrdCryptoFactory.hh (2)
M src/XrdCrypto/XrdCryptosslAux.cc (20)
M src/XrdCrypto/XrdCryptosslAux.hh (4)
M src/XrdSecgsi/XrdSecProtocolgsi.cc (69)
M src/XrdSecgsi/XrdSecProtocolgsi.hh (11)
M src/XrdSecgsi/XrdSecgsiProxy.cc (2)
M src/XrdSecgsi/XrdSecgsitest.cc (2)
-- Patch Links --
https://github.com/xrootd/xrootd/pull/1561.patch
https://github.com/xrootd/xrootd/pull/1561.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/pull/1561
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
