LISTSERV 16.5 - XROOTD-DEV Archives

I created a minimal patch to work around the issue, as suggested. The latest version has the following behavior:
```
$ # client has the required certificates to use TLS (no ztn token, so falls back to krb5)
$ xrdcp --force roots://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat .
[4kB/4kB][100%][==================================================][4kB/s]  

$ # client has the CA directory, but it doesn't contain valid certificates (fails to validate server)
$ X509_CERT_DIR=/ xrdcp --force root://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat .
[0B/0B][100%][==================================================][0B/s]  
Run: [FATAL] TLS error: resource temporarily unavailable:  (source)

$ # CA certificate directory does not exist, is not readable, etc
$ X509_CERT_DIR=/dev/null xrdcp --force root://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat .
[0B/0B][100%][==================================================][0B/s]  
Run: [FATAL] TLS error: Failed to initialize TLS context (source)

$ # CA certificate directory does not exist, is not readable, etc (with --notlsok option)
$ X509_CERT_DIR=/dev/null xrdcp --force --notlsok root://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat .
[4kB/4kB][100%][==================================================][4kB/s]  

$ # CA certificate directory does not exist, is not readable, etc (with --notlsok option, but roots:// instead of root://)
$ X509_CERT_DIR=/dev/null xrdcp --force --notlsok roots://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat .
[0B/0B][100%][==================================================][0B/s]  
Run: [FATAL] TLS error: Failed to initialize TLS context (source)

$ # client has the CA directory, but it doesn't contain valid certificates (with roots:// instead of root://)
$ X509_CERT_DIR=/ xrdcp --force roots://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat .
[0B/0B][100%][==================================================][0B/s]  
Run: [FATAL] TLS error: resource temporarily unavailable:  (source)

$ # client has the CA directory, but it doesn't contain valid certificates (with --notlsok option, but roots:// instead of root://)
$ X509_CERT_DIR=/ xrdcp --force --notlsok roots://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat .
[0B/0B][100%][==================================================][0B/s]  
Run: [FATAL] TLS error: resource temporarily unavailable:  (source)
```

-- 
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/pull/2031#issuecomment-1589380486
You are receiving this because you commented.

Message ID: <[log in to unmask]>

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1