That is correct. The expectation of roots/xroots/https protocols is that
you *will* use TLS encryption. If you can't the connection should fail
otherwise we are letting you run wha should have been encrypted over an
unencrypted connection which from a security standpoint is really bad.
On Thu, 15 Jun 2023, Guilherme Amadio wrote:
> Hi @esindril, yes, my memory is that when I was discussing this with @abh, the conclusion was that when a `roots://` URL is used, we should never allow falling back to non-encrypted connections for security reasons. However, if `root://` is used, `--notlsok` will work to not enforce promotion to use encryption.
>
> --
> Reply to this email directly or view it on GitHub:
> https://github.com/xrootd/xrootd/pull/2031#issuecomment-1592656925
> You are receiving this because your review was requested.
>
> Message ID: ***@***.***>
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: <xrootd/xrootd/pull/2031/c1592673432@github.com>
[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/xrootd/xrootd/pull/2031#issuecomment-1592673432",
"url": "https://github.com/xrootd/xrootd/pull/2031#issuecomment-1592673432",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1