Here is the test I did.
I hardcoded a refresh interval of 5 seconds for the Refresh
thread of XrdTlsContext
.
I generated an expired certificate and started a XRootD server with HTTP enabled. I initiated a HTTP transfer with curl and I got the answer from the server that the certificate expired:
$ head -c 5M /dev/urandom > /tmp/bigfile_5M
$ curl -v --capath /etc/grid-security/certificates --cert ~/.globus/usercert.pem --key ~/.globus/userkey.pem --cacert ~/.globus/usercert.pem -X GET https://xrootd-ccaffy-dev01.cern.ch:1096/tmp/bigfile_5M 2>&1 >/dev/null
[...]
curl: (60) Peer's Certificate has expired
[...]
While the server is running, I generated a new certificate that expires in more than one year, waited for the CRL refresh thread to run and re-launched a file transfer with curl:
$ head -c 5M /dev/urandom > /tmp/bigfile_5M
$ curl -v --capath /etc/grid-security/certificates --cert ~/.globus/usercert.pem --key ~/.globus/userkey.pem --cacert ~/.globus/usercert.pem -X GET https://xrootd-ccaffy-dev01.cern.ch:1096/tmp/bigfile_5M 2>&1 >/dev/null
[...]
curl: (60) Peer's Certificate has expired
[...]
Same result. so the certificate is not renewed automatically by the XrootD HTTP server.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1