-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rebased version of PR#1493 #1561
Conversation
Client enforces this mode by setting XrdSecGISNOPROXY=1. Key file must be pass-less.
Servers check the number of certificates in received chain. Pass-less authentication can still happen but requires the creation of the proxy.
Hi @gganis, I gave it try by running a server and client built with this PR and setting
|
Hi @simonmichal, |
@gganis : thanks a lot for the quick fix! I can confirm that now it works as advertised :-) |
Until the old pre-openssl3 code is removed, any change to code that exists in two version must be changed twice. |
@ellert : noted, I'll take care of this later on this week! |
Adding support for pure cert/key authentication.
Client controls this mode via XrdSecGSICREATEPROXY:
This is mostly meant, on the server side, for pass-less authentication, possible when the key file is pass-less.
NB1: if the key-file is pass-less and XrdSecGSICREATEPROXY = 1 (default) authentication still works with the usual protocol, i.e. creating a proxy and using that for the handshake. Setting XrdSecGSICREATEPROXY = 0 avoids those additional steps.
NB2: Forward / backward compatibility is obtained by enabling the cert/pair mechanism only for versions supporting it