I thought we wanted the composite CRL file to reflect what is in the /etc/grid-security/certificates
directory and not trying to see if in the previous run, a CRL that was found is not found anymore or is replaced by a null file in the next run.
Here are the tests I did:
First, best case scenario, there are two valid pem files in the /etc/grid-security/certificates
directory:
//Server side
211201 13:42:09 23886 TPC_TempCA: Reloading the list of CAs and CRLs in directory
Composite CRL file:
-----BEGIN X509 CRL-----
[...] CRL1 file content
-----END X509 CRL-----
-----BEGIN X509 CRL-----
[...] CRL2 file content
-----END X509 CRL-----
Now, I empty the CRL2 file content:
root@xrootd-ccaffy-dev01 xrootd-run]# cat /etc/grid-security/certificates/my_crl_file_2.crl
[root@xrootd-ccaffy-dev01 xrootd-run]#
... and after the next run of the Maintenance:
-----BEGIN X509 CRL-----
[...] CRL1 file content
-----END X509 CRL-----
The composite CRL file is re-generated. Containing only the first CRL file as I emptied the second CRL file.
Now I will modify the CRL1 file content to break the CRL correctness of this file:
[root@xrootd-ccaffy-dev01 xrootd-run]# truncate -s 500 /etc/grid-security/certificates/my_crl_file.crl
Then the composite CRL file is re-generated and contains nothing:
[xrootddev@xrootd-ccaffy-dev01 xrootd-run]$ cat /var/spool/xrootd/.xrdtls/crl_file.pem
[xrootddev@xrootd-ccaffy-dev01 xrootd-run]$
A TPC transfer will then have the CRL check disabled:
211201 13:56:48 23872 TPC_TpcHandler: No valid CRL file has been found in the file /var/spool/xrootd/.xrdtls/crl_file.pem. Disabling CRL checking.
Is this the behaviour we expect? Because for me, the composite CRL file should be an image of what is in the /etc/grid-security/certificates
directory.
To sum things up, the composite CRL file is completely re-generated at each Maintenance run :)
Sorry for the time spent on this topic, but I really need to understand and I want to be sure that you have the full picture of why I did this implementation like this ;)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1