-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xrootd client SNI support? #1951
Comments
Hi @rptaylor |
Thanks @smithdh for the information. |
Yes, that is correct. The first negotiation is without using TLS. You can,
however, configure the system to exclusive use LS much like the way HTTP
does it (we don't do that by defaul to allow for optimizations that can't
happen with HTTP). However, as DS poinst out, the client is not programmed
to be able to start with TLS at the starting gate and that owuld need to
happen. Hence, for xroot protocol we don't have the capability you are
looking for even if the server is capable of doing that.
…On Mon, 13 Mar 2023, R. P. Taylor wrote:
Thanks @smithdh for the information.
I thought the xrootd protocol does use TLS? Or are you saying the client first connects without TLS, does some negotiation or something, and then switches to TLS?
--
Reply to this email directly or view it on GitHub:
#1951 (comment)
You are receiving this because you are subscribed to this thread.
Message ID: ***@***.***>
|
Thanks for the answer. |
Hello,
I don't suppose xrootd clients do support (or potentially could support without much effort) Server Name Indication?
The potential use case is layer 4 TCP load balancing and routing on Kubernetes using an ingress provider.
If xrootd clients use SNI during the TCP handshake to request a specific xrootd server name, then the ingress controller could know which backing server to direct the traffic to (which is otherwise not possible for a TCP router listening on a single (IP:port) combination), without having to know anything about the xrootd protocol.
This question only regards xrootd clients; the server (actually EOS pods) would not need to do anything.
The text was updated successfully, but these errors were encountered: