-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[XrootdHttpTPC] Empty CRL file fails a HTTP TPC pull transfer #1543
Comments
Hi, In "grid world", CRLs are often mandatory. In the remainder of the planet, CRLs are rarely (never might be too strong?) mandatory. I would prefer to go the "remainder of the planet" route. Can you submit a PR? Does it error if the file is 1-byte long? Or does it error whenever there are zero valid CRLs? Brian |
I also prefer the Yes, I will take a look at this and submit a PR. For this I need to try. I will answer your question in this ticket :) |
An error is triggered if there is no valid CRL in the aggregated-CRL file or if it is empty. |
After the discussions on #1547 |
Hello,
After the submission of an HTTP TPC Pull transfer, I got the following error client side:
On server side:
Here is the configuration file I have:
After debugging the xrootd process, I could see that curl complains with "Failed to load CRL file (path? access rights?, format?)"
when the
CURLOPT_CRLFILE
option points to an empty file.The workaround I found was to set the following environment variable:
This prevents the class
XrdTlsTempCA
from being instanciated and therefore prevents toset the
CURLOPT_CRLFILE
option (done by the methodTPCHandler::ConfigureCurlCA()
).In my opinion, this can be problematic for users. The directory where the certificates
are located is passed via the configuration of the server. If a user has no CRL file on the certificate directory, XRootD should
just ignore it and should not try to set the
CURLOPT_CRLFILE
curl option.In production, everything works fine because the concatenated CRL file is not empty:
My first question is, is it me who wrongly configured the server?
Otherwise, should we add a check that verifies that the concatenated CRL file is not empty before assigning it to
CURLOPT_CRLFILE
?@abh3 , @bbockelm what is your opinion about this issue?
Thanks in advance for your answers :)
Cheers,
Cedric
The text was updated successfully, but these errors were encountered: