This discusses some additional things you may need o do
https://computingforgeeks.com/configure-system-wide-cryptographic-policies/
However, while this should work for RH distribution. It's not at all clear
crypto policies will work in the Alma distribution; at least not without
somme additional effort.
Andy
On Thu, 25 May 2023, mike-leech wrote:
> We are seeing exactly the same problem. Client Centos7(xrootd5.5.4-1) server Alma9(xrootd5.5.5-1) .
>
> update-crypto-policies --set DEFAULT:SHA1 on server and restarting has no effect.
>
> xrdcp from Alma 9 client to Alma 9 server works fine.
>
> ***@***.*** ~]$ xrdcp -f -d1 xroot://pplxwn021//tmp/zap local_zap2
> 230525 11:37:45 255389 secgsi_ClientDoCert: could not instantiate session cipher using cipher public info from server
> [2023-05-25 11:37:45.619578 +0100][Error ][XRootDTransport ] [pplxwn021:1094.0] Auth protocol handler for gsi refuses to give us more credentials Secgsi: ErrParseBuffer: could not instantiate session cipher : kXGS_cert
> [2023-05-25 11:37:45.619725 +0100][Error ][AsyncSock ] [pplxwn021:1094.0] Socket error while handshaking: [FATAL] Auth failed
> [2023-05-25 11:37:45.619845 +0100][Error ][PostMaster ] [pplxwn021:1094] elapsed = 1, pConnectionWindow = 120 seconds.
> [2023-05-25 11:37:45.619895 +0100][Error ][PostMaster ] [pplxwn021:1094] Unable to recover: [FATAL] Auth failed.
> [2023-05-25 11:37:45.619932 +0100][Error ][XRootD ] [pplxwn021:1094] Impossible to send message kXR_open (file: /tmp/zap, mode: 00, flags: kXR_open_read kXR_async kXR_retstat ). Trying to recover.
> [0B/0B][100%][==================================================][0B/s]
> Run: [FATAL] Auth failed: Secgsi: ErrParseBuffer: could not instantiate session cipher : kXGS_cert (source)
>
>
> I'm also willing to test, as this is stalling our upgrade of all systems to Alma 9.
>
> Just a thought. Major upgrade to openssl3 on EL9. Lots of legacy stuff has been dropped.
>
> Cheers.
>
> --
> Reply to this email directly or view it on GitHub:
> https://github.com/xrootd/xrootd/issues/2014#issuecomment-1562681648
> You are receiving this because you are subscribed to this thread.
>
> Message ID: ***@***.***>
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Message ID: <xrootd/xrootd/issues/2014/1563300094@github.com>
[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/xrootd/xrootd/issues/2014#issuecomment-1563300094",
"url": "https://github.com/xrootd/xrootd/issues/2014#issuecomment-1563300094",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
