I created a minimal patch to work around the issue, as suggested. The latest version has the following behavior: ``` $ # client has the required certificates to use TLS (no ztn token, so falls back to krb5) $ xrdcp --force roots://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat . [4kB/4kB][100%][==================================================][4kB/s] $ # client has the CA directory, but it doesn't contain valid certificates (fails to validate server) $ X509_CERT_DIR=/ xrdcp --force root://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat . [0B/0B][100%][==================================================][0B/s] Run: [FATAL] TLS error: resource temporarily unavailable: (source) $ # CA certificate directory does not exist, is not readable, etc $ X509_CERT_DIR=/dev/null xrdcp --force root://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat . [0B/0B][100%][==================================================][0B/s] Run: [FATAL] TLS error: Failed to initialize TLS context (source) $ # CA certificate directory does not exist, is not readable, etc (with --notlsok option) $ X509_CERT_DIR=/dev/null xrdcp --force --notlsok root://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat . [4kB/4kB][100%][==================================================][4kB/s] $ # CA certificate directory does not exist, is not readable, etc (with --notlsok option, but roots:// instead of root://) $ X509_CERT_DIR=/dev/null xrdcp --force --notlsok roots://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat . [0B/0B][100%][==================================================][0B/s] Run: [FATAL] TLS error: Failed to initialize TLS context (source) $ # client has the CA directory, but it doesn't contain valid certificates (with roots:// instead of root://) $ X509_CERT_DIR=/ xrdcp --force roots://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat . [0B/0B][100%][==================================================][0B/s] Run: [FATAL] TLS error: resource temporarily unavailable: (source) $ # client has the CA directory, but it doesn't contain valid certificates (with --notlsok option, but roots:// instead of root://) $ X509_CERT_DIR=/ xrdcp --force --notlsok roots://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat . [0B/0B][100%][==================================================][0B/s] Run: [FATAL] TLS error: resource temporarily unavailable: (source) ``` -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/pull/2031#issuecomment-1589380486 You are receiving this because you commented. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1