Hello Andy, Here is some more debug. details below Client 5.4.1, Server 5.4.1. Server config: ------ xrd.tls /etc/grid-security/xrootd/xrootdcert.pem /etc/grid-security/xrootd/xrootdkey.pem detail xrd.tlsca certdir /etc/grid-security/certificates xrootd.tls capable all sec.protocol /usr/lib64 ztn Server log: https://login-1.hep.caltech.edu/~jbalcas/tls/xrootd-detail.log ----- xrd.tls /etc/grid-security/xrootd/xrootdcert.pem /etc/grid-security/xrootd/xrootdkey.pem detail xrd.tlsca noverify xrootd.tls capable all sec.protocol /usr/lib64 ztn Server log: https://login-1.hep.caltech.edu/~jbalcas/tls/xrootd-detail-noverify.log ------ xrd.tls /etc/grid-security/xrootd/xrootdcert.pem /etc/grid-security/xrootd/xrootdkey.pem detail xrd.tlsca certdir /etc/grid-security/certificates xrootd.tls capable all # ztn line removed Server log: https://login-1.hep.caltech.edu/~jbalcas/tls/xrootd-detail-noztn.log Still no success. On Tue, 15 Feb 2022 at 11:52, Andrew Hanushevsky <[log in to unmask]> wrote: > Hi Justas, > > If you look into the log you will notice a warning that tells you that TLS > will always be on regardless of the "capable" setting because > authentication protocol ztn requires tls. So, this may be the source of > the problem, certainly it will be for incapable clients. > > Andy > > > On Tue, 15 Feb 2022, Justas Balcas wrote: > > > Hi, > > > > Server's/Clients are running > 5.3.X release (not 5.4). I took out 1 > server > > from prod and played with full debug mode, on/off tls. > > > > Logs from server/client are available here: > > https://login-1.hep.caltech.edu/~jbalcas/tls/ > > > > To turn TLS, I added this config: > > xrd.tls /etc/grid-security/xrootd/xrootdcert.pem > > /etc/grid-security/xrootd/xrootdkey.pem > > xrd.tlsca certdir /etc/grid-security/certificates > > xrootd.tls capable all > > sec.protocol /usr/lib64 ztn > > > > And with TLS on - I always get: > > TLS hand-shake exchange. > > Socket error while handshaking: [FATAL] TLS error > > Closing the socket > > > > > > If it helps, here is full config: > > > > all.export /tmp stage > > frm.xfr.copycmd /bin/cp /dev/null $PFN > > all.adminpath /var/spool/xrootd > > all.pidpath /var/run/xrootd > > > > # XrootD Security > > # --------------------------------------- > > xrootd.seclib /usr/lib64/libXrdSec.so > > sec.protocol /usr/lib64 gsi -certdir:/etc/grid-security/certificates > > -cert:/etc/grid-security/xrootd/xrootdcert.pem > > -key:/etc/grid-security/xrootd/xrootdkey.pem -crl:3 > > -authzfun:libXrdLcmaps.so -authzto:900 > > -authzfunparms:lcmapscfg=/etc/xrootd/lcmaps.cfg -gmapopt:10 -gmapto:0 > > acc.authdb /etc/xrootd/auth_file_stageout > > ofs.authorize > > macaroons.secretkey /etc/xrootd/macaroon-secret > > ofs.authlib ++ libXrdMacaroons.so > > ofs.authlib ++ libXrdAccSciTokens.so > > # -------------------------------------- > > # XrootD Monitoring > > # -------------------------------------- > > # Monitoring for AAA Dashboard : > > xrd.report 169.228.130.91:9931 every 30s all sync > > xrootd.monitor all auth flush 30s window 5s fstat 60 lfn ops xfr 5 dest > > files io info user 169.228.130.91:9930 dest fstat info user > > xrd-mon.osgstorage.org:9930 > > all.sitename T2_US_Caltech > > # ------------------------------------- > > # Configure redirector/server > > # ------------------------------------- > > set xrdr = xrootd-redir-stageout.ultralight.org > > xrd.port 1095 > > all.manager $(xrdr):1213 > > > > if $(xrdr) > > # It's role is manager > > all.role manager > > # Redirect all lookup calls to original data servers. Redirector does > not > > have visibility of FS > > cms.dfs lookup distrib mdhold 20m redirect immed > > else > > # Role is server > > all.role server > > # The known managers (local redirector) > > all.manager meta $(xrdr):1213 > > > > # Enable xrootd checksum calculation "on-the-fly" using multiuser plugin > > # This makes XRootD to write the files with the > > # ownership of the user that authenticated to the server and not as the > > # 'xrootd' user > > ofs.osslib ++ libXrdMultiuser.so > > # Enable the checksum wrapper > > ofs.ckslib * libXrdMultiuser.so > > # Control of checksum > > xrootd.chksum max 10 adler32 > > multiuser.checksumonwrite on > > multiuser.umask 0002 > > > > fi > > # ------------------------------------- > > # Allow only specific path, checksum config > > # ------------------------------------- > > # Allow any path to be exported; this is further refined in the authfile. > > all.export / > > > > # Hosts allowed to use this xrootd cluster > > cms.allow host * > > > > # Enable xrootd debugging > > xrootd.trace emsg login stall redirect > > cms.trace defer files forward redirect > > > > # Disable async. Related issue: > https://github.com/xrootd/xrootd/issues/1113 > > xrootd.async off > > > > # ------------------------------------- > > # Integrate with CMS Namespaces > > # It will see files under /store/... > > # ------------------------------------- > > oss.localroot /storage/cms > > # ------------------------------------- > > # Configure davs/https for TPC > > # ------------------------------------- > > # Enable https over XrootD > > if exec xrootd > > xrd.protocol http:1095 /usr/lib64/libXrdHttp.so > > http.cadir /etc/grid-security/certificates > > http.cert /etc/grid-security/xrootd/xrootdcert.pem > > http.key /etc/grid-security/xrootd/xrootdkey.pem > > http.secxtractor /usr/lib64/libXrdLcmaps.so > > http.secretkey XXXXXXX > > # Enable third-party-copy > > http.exthandler xrdtpc libXrdHttpTPC.so > > # Pass the bearer token to the Xrootd authorization framework. > > http.header2cgi Authorization authz > > http.listingdeny yes > > http.desthttps yes > > http.selfhttps2http no > > http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt > > http.exthandler xrdmacaroons libXrdMacaroons.so > > fi > > > > > > xrd.tls /etc/grid-security/xrootd/xrootdcert.pem > > /etc/grid-security/xrootd/xrootdkey.pem > > xrd.tlsca certdir /etc/grid-security/certificates > > xrootd.tls capable all > > sec.protocol /usr/lib64 ztn > > > > > > > > xrootd.trace all > > xrd.trace all > > ofs.trace all > > pfc.trace all > > cms.trace all > > # To debug connections to the fedration (5 Dump, 4 Debug, 3 Error, 2 > > Warning, 1 Info) > > pss.setopt DebugLevel 4 > > > > ######################################################################## > > Use REPLY-ALL to reply to list > > > > To unsubscribe from the XROOTD-L list, click the following link: > > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > > > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1