Print

Print

I created a minimal patch to work around the issue, as suggested. The latest version has the following behavior:

$ # client has the required certificates to use TLS (no ztn token, so falls back to krb5)
$ xrdcp --force roots://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat .
[4kB/4kB][100%][==================================================][4kB/s]  

$ # client has the CA directory, but it doesn't contain valid certificates (fails to validate server)
$ X509_CERT_DIR=/ xrdcp --force root://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat .
[0B/0B][100%][==================================================][0B/s]  
Run: [FATAL] TLS error: resource temporarily unavailable:  (source)

$ # CA certificate directory does not exist, is not readable, etc
$ X509_CERT_DIR=/dev/null xrdcp --force root://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat .
[0B/0B][100%][==================================================][0B/s]  
Run: [FATAL] TLS error: Failed to initialize TLS context (source)

$ # CA certificate directory does not exist, is not readable, etc (with --notlsok option)
$ X509_CERT_DIR=/dev/null xrdcp --force --notlsok root://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat .
[4kB/4kB][100%][==================================================][4kB/s]  

$ # CA certificate directory does not exist, is not readable, etc (with --notlsok option, but roots:// instead of root://)
$ X509_CERT_DIR=/dev/null xrdcp --force --notlsok roots://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat .
[0B/0B][100%][==================================================][0B/s]  
Run: [FATAL] TLS error: Failed to initialize TLS context (source)

$ # client has the CA directory, but it doesn't contain valid certificates (with roots:// instead of root://)
$ X509_CERT_DIR=/ xrdcp --force roots://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat .
[0B/0B][100%][==================================================][0B/s]  
Run: [FATAL] TLS error: resource temporarily unavailable:  (source)

$ # client has the CA directory, but it doesn't contain valid certificates (with --notlsok option, but roots:// instead of root://)
$ X509_CERT_DIR=/ xrdcp --force --notlsok roots://eospilot.cern.ch//eos/pilot/opstest/amadio/4K.dat .
[0B/0B][100%][==================================================][0B/s]  
Run: [FATAL] TLS error: resource temporarily unavailable:  (source)


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: <xrootd/xrootd/pull/2031/c1589380486@github.com>

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/pull/2031#issuecomment-1589380486", "url": "https://github.com/xrootd/xrootd/pull/2031#issuecomment-1589380486", "name": "View Pull Request" }, "description": "View this Pull Request on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1