LISTSERV 16.5 - XROOTD-DEV Archives

I thought we wanted the composite CRL file to reflect what is in the `/etc/grid-security/certificates` directory and not trying to see if in the previous run, a CRL that was found is not found anymore or is replaced by a null file in the next run.

Here are the tests I did:

First, best case scenario, there are two valid pem files in the `/etc/grid-security/certificates` directory:

```
//Server side
211201 13:42:09 23886 TPC_TempCA: Reloading the list of CAs and CRLs in directory
```

Composite CRL file:

```
-----BEGIN X509 CRL-----
[...] CRL1 file content
-----END X509 CRL-----
-----BEGIN X509 CRL-----
[...] CRL2 file content
-----END X509 CRL-----
```

Now, I empty the CRL2 file content:
```
root@xrootd-ccaffy-dev01 xrootd-run]# cat /etc/grid-security/certificates/my_crl_file_2.crl
[root@xrootd-ccaffy-dev01 xrootd-run]#
```

... and after the next run of the Maintenance:

```
-----BEGIN X509 CRL-----
[...] CRL1 file content
-----END X509 CRL-----
```

The composite CRL file is re-generated. Containing only the first CRL file as I emptied the second CRL file.

Now I will modify the CRL1 file content to break the CRL correctness of this file:

```
[root@xrootd-ccaffy-dev01 xrootd-run]# truncate -s 500 /etc/grid-security/certificates/my_crl_file.crl
```

Then the composite CRL file is re-generated and contains nothing:

```
[xrootddev@xrootd-ccaffy-dev01 xrootd-run]$ cat /var/spool/xrootd/.xrdtls/crl_file.pem
[xrootddev@xrootd-ccaffy-dev01 xrootd-run]$
```

A TPC transfer will then have the CRL check disabled:

```
211201 13:56:48 23872 TPC_TpcHandler: No valid CRL file has been found in the file /var/spool/xrootd/.xrdtls/crl_file.pem. Disabling CRL checking.
```

Is this the behaviour we expect? Because for me, the composite CRL file should be an image of what is in the `/etc/grid-security/certificates` directory.

To sum things up, the composite CRL file is completely re-generated at each Maintenance run :)

Sorry for the time spent on this topic, but I really need to understand and I want to be sure that you have the full picture of why I did this implementation like this ;)

-- 
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/pull/1547#issuecomment-983616811

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1