LISTSERV 16.5 - XROOTD-DEV Archives

I thought we wanted the composite CRL file to reflect what is in the /etc/grid-security/certificates directory and not trying to see if in the previous run, a CRL that was found is not found anymore or is replaced by a null file in the next run.

Here are the tests I did:

First, best case scenario, there are two valid pem files in the /etc/grid-security/certificates directory:

//Server side
211201 13:42:09 23886 TPC_TempCA: Reloading the list of CAs and CRLs in directory

Composite CRL file:

-----BEGIN X509 CRL-----
[...] CRL1 file content
-----END X509 CRL-----
-----BEGIN X509 CRL-----
[...] CRL2 file content
-----END X509 CRL-----

Now, I empty the CRL2 file content:

root@xrootd-ccaffy-dev01 xrootd-run]# cat /etc/grid-security/certificates/my_crl_file_2.crl
[root@xrootd-ccaffy-dev01 xrootd-run]#

... and after the next run of the Maintenance:

-----BEGIN X509 CRL-----
[...] CRL1 file content
-----END X509 CRL-----

The composite CRL file is re-generated. Containing only the first CRL file as I emptied the second CRL file.

Now I will modify the CRL1 file content to break the CRL correctness of this file:

[root@xrootd-ccaffy-dev01 xrootd-run]# truncate -s 500 /etc/grid-security/certificates/my_crl_file.crl

Then the composite CRL file is re-generated and contains nothing:

[xrootddev@xrootd-ccaffy-dev01 xrootd-run]$ cat /var/spool/xrootd/.xrdtls/crl_file.pem
[xrootddev@xrootd-ccaffy-dev01 xrootd-run]$

A TPC transfer will then have the CRL check disabled:

211201 13:56:48 23872 TPC_TpcHandler: No valid CRL file has been found in the file /var/spool/xrootd/.xrdtls/crl_file.pem. Disabling CRL checking.

Is this the behaviour we expect? Because for me, the composite CRL file should be an image of what is in the /etc/grid-security/certificates directory.

To sum things up, the composite CRL file is completely re-generated at each Maintenance run :)

Sorry for the time spent on this topic, but I really need to understand and I want to be sure that you have the full picture of why I did this implementation like this ;)

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/pull/1547#issuecomment-983616811", "url": "https://github.com/xrootd/xrootd/pull/1547#issuecomment-983616811", "name": "View Pull Request" }, "description": "View this Pull Request on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1