 |
 |
In addition to #2014 there seem to be similar ciper issues when trying to connect with EL9 client to EL7 Xrootd server or redirector.
The problem was discovered using xrootd clients on lxplus9 at CERN against various redirectors/servers in the CMS AAA federation.
E.g.
[cwissing@lxplus921 ~]$ xrdfs root://t2-cms-xrootd01.desy.de query config version
230607 22:26:22 3308828 secgsi_ClientDoCert: could not instantiate session cipher using cipher public info from server
230607 22:26:22 3308828 secgsi_ClientDoCert: could not instantiate session cipher using cipher public info from server
[FATAL] Auth failed: Secgsi: ErrParseBuffer: could not instantiate session cipher : kXGS_cert
t2-cms-xrootd01.desy.de is site redirector on Centos7, which makes no problems, when accessed from lxplus (also Centos7). Our test redirector on EL9 works fine
[cwissing@lxplus921 ~]$ xrdfs root://t2-cms-xrootd-dev01.desy.de query config version
v5.5.5
The issue not local to DESY, but about a dozen of sites in the CMS federation fail this way (error code 52)[1]
Interstingly all OSG sites are fine. Are they all on EL8 already, or there is perhaps a default config in OSG that prevents the observed issue.
Christoph
[1] run this e.g. on lxplus9, you need a CMS VOMS however
for s in xrdmapc --list all cms-xrd-global.cern.ch:1094 2>/dev/null | grep Srv | awk '{print $2}'; do xrdfs $s query config version > /dev/null 2>&1; RC=$?; if [ $RC -eq 52 ]; then echo " $s reports ciper issue - error $RC"; fi; done
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1