With help from Matevz, I got the latest (5.4.1 client and server) - the same issue remains. Let me know if new logs from 5.4.1 are needed. Thanks! On Tue, 15 Feb 2022 at 10:16, Justas Balcas <[log in to unmask]> wrote: > Hi, > > Server's/Clients are running > 5.3.X release (not 5.4). I took out 1 > server from prod and played with full debug mode, on/off tls. > > Logs from server/client are available here: > https://login-1.hep.caltech.edu/~jbalcas/tls/ > > To turn TLS, I added this config: > xrd.tls /etc/grid-security/xrootd/xrootdcert.pem > /etc/grid-security/xrootd/xrootdkey.pem > xrd.tlsca certdir /etc/grid-security/certificates > xrootd.tls capable all > sec.protocol /usr/lib64 ztn > > And with TLS on - I always get: > TLS hand-shake exchange. > Socket error while handshaking: [FATAL] TLS error > Closing the socket > > > If it helps, here is full config: > > all.export /tmp stage > frm.xfr.copycmd /bin/cp /dev/null $PFN > all.adminpath /var/spool/xrootd > all.pidpath /var/run/xrootd > > # XrootD Security > # --------------------------------------- > xrootd.seclib /usr/lib64/libXrdSec.so > sec.protocol /usr/lib64 gsi -certdir:/etc/grid-security/certificates > -cert:/etc/grid-security/xrootd/xrootdcert.pem > -key:/etc/grid-security/xrootd/xrootdkey.pem -crl:3 > -authzfun:libXrdLcmaps.so -authzto:900 > -authzfunparms:lcmapscfg=/etc/xrootd/lcmaps.cfg -gmapopt:10 -gmapto:0 > acc.authdb /etc/xrootd/auth_file_stageout > ofs.authorize > macaroons.secretkey /etc/xrootd/macaroon-secret > ofs.authlib ++ libXrdMacaroons.so > ofs.authlib ++ libXrdAccSciTokens.so > # -------------------------------------- > # XrootD Monitoring > # -------------------------------------- > # Monitoring for AAA Dashboard : > xrd.report 169.228.130.91:9931 every 30s all sync > xrootd.monitor all auth flush 30s window 5s fstat 60 lfn ops xfr 5 dest > files io info user 169.228.130.91:9930 dest fstat info user > xrd-mon.osgstorage.org:9930 > all.sitename T2_US_Caltech > # ------------------------------------- > # Configure redirector/server > # ------------------------------------- > set xrdr = xrootd-redir-stageout.ultralight.org > xrd.port 1095 > all.manager $(xrdr):1213 > > if $(xrdr) > # It's role is manager > all.role manager > # Redirect all lookup calls to original data servers. Redirector does > not have visibility of FS > cms.dfs lookup distrib mdhold 20m redirect immed > else > # Role is server > all.role server > # The known managers (local redirector) > all.manager meta $(xrdr):1213 > > # Enable xrootd checksum calculation "on-the-fly" using multiuser plugin > # This makes XRootD to write the files with the > # ownership of the user that authenticated to the server and not as the > # 'xrootd' user > ofs.osslib ++ libXrdMultiuser.so > # Enable the checksum wrapper > ofs.ckslib * libXrdMultiuser.so > # Control of checksum > xrootd.chksum max 10 adler32 > multiuser.checksumonwrite on > multiuser.umask 0002 > > fi > # ------------------------------------- > # Allow only specific path, checksum config > # ------------------------------------- > # Allow any path to be exported; this is further refined in the authfile. > all.export / > > # Hosts allowed to use this xrootd cluster > cms.allow host * > > # Enable xrootd debugging > xrootd.trace emsg login stall redirect > cms.trace defer files forward redirect > > # Disable async. Related issue: > https://github.com/xrootd/xrootd/issues/1113 > xrootd.async off > > # ------------------------------------- > # Integrate with CMS Namespaces > # It will see files under /store/... > # ------------------------------------- > oss.localroot /storage/cms > # ------------------------------------- > # Configure davs/https for TPC > # ------------------------------------- > # Enable https over XrootD > if exec xrootd > xrd.protocol http:1095 /usr/lib64/libXrdHttp.so > http.cadir /etc/grid-security/certificates > http.cert /etc/grid-security/xrootd/xrootdcert.pem > http.key /etc/grid-security/xrootd/xrootdkey.pem > http.secxtractor /usr/lib64/libXrdLcmaps.so > http.secretkey XXXXXXX > # Enable third-party-copy > http.exthandler xrdtpc libXrdHttpTPC.so > # Pass the bearer token to the Xrootd authorization framework. > http.header2cgi Authorization authz > http.listingdeny yes > http.desthttps yes > http.selfhttps2http no > http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt > http.exthandler xrdmacaroons libXrdMacaroons.so > fi > > > xrd.tls /etc/grid-security/xrootd/xrootdcert.pem > /etc/grid-security/xrootd/xrootdkey.pem > xrd.tlsca certdir /etc/grid-security/certificates > xrootd.tls capable all > sec.protocol /usr/lib64 ztn > > > > xrootd.trace all > xrd.trace all > ofs.trace all > pfc.trace all > cms.trace all > # To debug connections to the fedration (5 Dump, 4 Debug, 3 Error, 2 > Warning, 1 Info) > pss.setopt DebugLevel 4 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1