I thought we wanted the composite CRL file to reflect what is in the `/etc/grid-security/certificates` directory and not trying to see if in the previous run, a CRL that was found is not found anymore or is replaced by a null file in the next run. Here are the tests I did: First, best case scenario, there are two valid pem files in the `/etc/grid-security/certificates` directory: ``` //Server side 211201 13:42:09 23886 TPC_TempCA: Reloading the list of CAs and CRLs in directory ``` Composite CRL file: ``` -----BEGIN X509 CRL----- [...] CRL1 file content -----END X509 CRL----- -----BEGIN X509 CRL----- [...] CRL2 file content -----END X509 CRL----- ``` Now, I empty the CRL2 file content: ``` root@xrootd-ccaffy-dev01 xrootd-run]# cat /etc/grid-security/certificates/my_crl_file_2.crl [root@xrootd-ccaffy-dev01 xrootd-run]# ``` ... and after the next run of the Maintenance: ``` -----BEGIN X509 CRL----- [...] CRL1 file content -----END X509 CRL----- ``` The composite CRL file is re-generated. Containing only the first CRL file as I emptied the second CRL file. Now I will modify the CRL1 file content to break the CRL correctness of this file: ``` [root@xrootd-ccaffy-dev01 xrootd-run]# truncate -s 500 /etc/grid-security/certificates/my_crl_file.crl ``` Then the composite CRL file is re-generated and contains nothing: ``` [xrootddev@xrootd-ccaffy-dev01 xrootd-run]$ cat /var/spool/xrootd/.xrdtls/crl_file.pem [xrootddev@xrootd-ccaffy-dev01 xrootd-run]$ ``` A TPC transfer will then have the CRL check disabled: ``` 211201 13:56:48 23872 TPC_TpcHandler: No valid CRL file has been found in the file /var/spool/xrootd/.xrdtls/crl_file.pem. Disabling CRL checking. ``` Is this the behaviour we expect? Because for me, the composite CRL file should be an image of what is in the `/etc/grid-security/certificates` directory. To sum things up, the composite CRL file is completely re-generated at each Maintenance run :) Sorry for the time spent on this topic, but I really need to understand and I want to be sure that you have the full picture of why I did this implementation like this ;) -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/pull/1547#issuecomment-983616811 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1