Hi, Server's/Clients are running > 5.3.X release (not 5.4). I took out 1 server from prod and played with full debug mode, on/off tls. Logs from server/client are available here: https://login-1.hep.caltech.edu/~jbalcas/tls/ To turn TLS, I added this config: xrd.tls /etc/grid-security/xrootd/xrootdcert.pem /etc/grid-security/xrootd/xrootdkey.pem xrd.tlsca certdir /etc/grid-security/certificates xrootd.tls capable all sec.protocol /usr/lib64 ztn And with TLS on - I always get: TLS hand-shake exchange. Socket error while handshaking: [FATAL] TLS error Closing the socket If it helps, here is full config: all.export /tmp stage frm.xfr.copycmd /bin/cp /dev/null $PFN all.adminpath /var/spool/xrootd all.pidpath /var/run/xrootd # XrootD Security # --------------------------------------- xrootd.seclib /usr/lib64/libXrdSec.so sec.protocol /usr/lib64 gsi -certdir:/etc/grid-security/certificates -cert:/etc/grid-security/xrootd/xrootdcert.pem -key:/etc/grid-security/xrootd/xrootdkey.pem -crl:3 -authzfun:libXrdLcmaps.so -authzto:900 -authzfunparms:lcmapscfg=/etc/xrootd/lcmaps.cfg -gmapopt:10 -gmapto:0 acc.authdb /etc/xrootd/auth_file_stageout ofs.authorize macaroons.secretkey /etc/xrootd/macaroon-secret ofs.authlib ++ libXrdMacaroons.so ofs.authlib ++ libXrdAccSciTokens.so # -------------------------------------- # XrootD Monitoring # -------------------------------------- # Monitoring for AAA Dashboard : xrd.report 169.228.130.91:9931 every 30s all sync xrootd.monitor all auth flush 30s window 5s fstat 60 lfn ops xfr 5 dest files io info user 169.228.130.91:9930 dest fstat info user xrd-mon.osgstorage.org:9930 all.sitename T2_US_Caltech # ------------------------------------- # Configure redirector/server # ------------------------------------- set xrdr = xrootd-redir-stageout.ultralight.org xrd.port 1095 all.manager $(xrdr):1213 if $(xrdr) # It's role is manager all.role manager # Redirect all lookup calls to original data servers. Redirector does not have visibility of FS cms.dfs lookup distrib mdhold 20m redirect immed else # Role is server all.role server # The known managers (local redirector) all.manager meta $(xrdr):1213 # Enable xrootd checksum calculation "on-the-fly" using multiuser plugin # This makes XRootD to write the files with the # ownership of the user that authenticated to the server and not as the # 'xrootd' user ofs.osslib ++ libXrdMultiuser.so # Enable the checksum wrapper ofs.ckslib * libXrdMultiuser.so # Control of checksum xrootd.chksum max 10 adler32 multiuser.checksumonwrite on multiuser.umask 0002 fi # ------------------------------------- # Allow only specific path, checksum config # ------------------------------------- # Allow any path to be exported; this is further refined in the authfile. all.export / # Hosts allowed to use this xrootd cluster cms.allow host * # Enable xrootd debugging xrootd.trace emsg login stall redirect cms.trace defer files forward redirect # Disable async. Related issue: https://github.com/xrootd/xrootd/issues/1113 xrootd.async off # ------------------------------------- # Integrate with CMS Namespaces # It will see files under /store/... # ------------------------------------- oss.localroot /storage/cms # ------------------------------------- # Configure davs/https for TPC # ------------------------------------- # Enable https over XrootD if exec xrootd xrd.protocol http:1095 /usr/lib64/libXrdHttp.so http.cadir /etc/grid-security/certificates http.cert /etc/grid-security/xrootd/xrootdcert.pem http.key /etc/grid-security/xrootd/xrootdkey.pem http.secxtractor /usr/lib64/libXrdLcmaps.so http.secretkey XXXXXXX # Enable third-party-copy http.exthandler xrdtpc libXrdHttpTPC.so # Pass the bearer token to the Xrootd authorization framework. http.header2cgi Authorization authz http.listingdeny yes http.desthttps yes http.selfhttps2http no http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt http.exthandler xrdmacaroons libXrdMacaroons.so fi xrd.tls /etc/grid-security/xrootd/xrootdcert.pem /etc/grid-security/xrootd/xrootdkey.pem xrd.tlsca certdir /etc/grid-security/certificates xrootd.tls capable all sec.protocol /usr/lib64 ztn xrootd.trace all xrd.trace all ofs.trace all pfc.trace all cms.trace all # To debug connections to the fedration (5 Dump, 4 Debug, 3 Error, 2 Warning, 1 Info) pss.setopt DebugLevel 4 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1