This is not an urgent issue, but does generate a little unexpected noise from the xrdcp client. In dCache, we have continued to support `STRICT` vs `OPTIONAL` TLS on an xroot door or pool. If the endpoint is `STRICT`, the client will get a `goToTLS` from the protocol request; otherwise, it is up to the client to request TLS using `xroots`. Now, here is a Two-Party read authenticating to a dCache door which is `OPTIONAL`. If I use `xroots`, all is fine: ``` arossi@fndcatemp1 ~]$ xrdcp5x -f xroots://fndcatemp2.fnal.gov:1095//pnfs/fs/usr/fermilab/users/arossi/volatile/data_1b /dev/null [1B/1B][100%][==================================================][1B/s] ``` However, when I use that door (on 1095) as the source of a native xroot TPC, I see: ``` [arossi@fndcatemp1 ~]$ xrdcp5x --tpc only xroots://fndcatemp2.fnal.gov:1095//pnfs/fs/usr/fermilab/users/arossi/volatile/data_1b xroots://fndcatemp2.fnal.gov:1094//pnfs/fs/usr/fermilab/users/arossi/volatile/data-`suffix` security protocol 'ztn' disallowed for non-TLS connections. [1B/1B][100%][==================================================][0B/s] ``` The TPC succeeds. The warning, in fact, is not generated by the transfer logins, but by the `kXR_query` against the source: ` ``` 2-09 10:11:54.324893 -0600][Dump ][PostMaster ] [fndcatemp2.fnal.gov:1095] Sending message kXR_query (code: kXR_Qconfig, arg length: 4) (0x1740020) through substream 0 expecting answer at 0 [2023-02-09 10:11:54.325701 -0600][Debug ][PostMaster ] [fndcatemp2.fnal.gov:1095] Found 1 address(es): [::ffff:131.225.240.93]:1095 [2023-02-09 10:11:54.325791 -0600][Debug ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Attempting connection to [::ffff:131.225.240.93]:1095 [2023-02-09 10:11:54.325866 -0600][Debug ][Poller ] Adding socket 0x173e610 to the poller [2023-02-09 10:11:54.326058 -0600][Debug ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Async connection call returned [2023-02-09 10:11:54.326117 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Sending out the initial hand shake + kXR_protocol [2023-02-09 10:11:54.326168 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Wrote a message: (0x740010d0), 44 bytes [2023-02-09 10:11:54.332918 -0600][Dump ][XRootDTransport ] [msg: 0x74079a40] Expecting 8 bytes of message body [2023-02-09 10:11:54.332964 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received message header, size: 8 [2023-02-09 10:11:54.332986 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received a message of 16 bytes [2023-02-09 10:11:54.333006 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Got the server hand shake response (type: manager [], protocol version 500) [2023-02-09 10:11:54.334823 -0600][Dump ][XRootDTransport ] [msg: 0x7408b9c0] Expecting 8 bytes of message body [2023-02-09 10:11:54.334869 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received message header, size: 8 [2023-02-09 10:11:54.334891 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received a message of 16 bytes [2023-02-09 10:11:54.334915 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] kXR_protocol successful (type: manager [], protocol version 500) [2023-02-09 10:11:54.335121 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Sending out kXR_login request, username: arossi, cgi: xrd.cc=us&xrd.tz=-6&xrd.appname=xrdcp&xrd.info=&xrd.hostname=fndcatemp1.fnal.gov&xrd.rn=v20220328-b5f279d, dual-stack: false, private IPv4: false, private IPv6: false [2023-02-09 10:11:54.335180 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Wrote a message: (0x74079a40), 129 bytes [2023-02-09 10:11:54.336716 -0600][Dump ][XRootDTransport ] [msg: 0x740010d0] Expecting 70 bytes of message body [2023-02-09 10:11:54.336761 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received message header, size: 8 [2023-02-09 10:11:54.336784 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received a message of 78 bytes [2023-02-09 10:11:54.336806 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Logged in, session: 60c82f6d4de883a7f1824946bde8e7ce [2023-02-09 10:11:54.336821 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Authentication is required: &P=gsi,v:10400,c:ssl,ca:f5f0dfc2&P=ztn,0:4096:&P=unix [2023-02-09 10:11:54.336836 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Sending authentication data [2023-02-09 10:11:54.336880 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Trying to authenticate using gsi [2023-02-09 10:11:54.337234 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Cannot get credentials for protocol gsi: Secgsi: ErrParseBuffer: error getting user proxies: kXGS_init security protocol 'ztn' disallowed for non-TLS connections. [2023-02-09 10:11:54.337608 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Trying to authenticate using unix [2023-02-09 10:11:54.337858 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Wrote a message: (0x74077ce0), 40 bytes [2023-02-09 10:11:54.340539 -0600][Dump ][XRootDTransport ] [msg: 0x740010d0] Expecting 0 bytes of message body [2023-02-09 10:11:54.340585 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received message header, size: 8 [2023-02-09 10:11:54.340601 -0600][Dump ][AsyncSock ] [fndcatemp2.fnal.gov:1095.0] Received a message of 8 bytes [2023-02-09 10:11:54.340627 -0600][Debug ][XRootDTransport ] [fndcatemp2.fnal.gov:1095.0] Authenticated with unix. ``` If we weren't allowing anonymous reads (using the `unix` protocol), this query would fail. I was wondering what your rationale was for not applying the client-requested protocol (in this case, `xroots`) to all requests to that endpoint? Thanks, Al -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1903 You are receiving this because you are subscribed to this thread. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1