From 04f041ec9f2b9654d4f9df09d385b5b26a5c68e6 Mon Sep 17 00:00:00 2001
From: Guilherme Amadio <amadio@cern.ch>
Date: Tue, 13 Jun 2023 15:49:36 +0200
Subject: [PATCH 1/2] [XrdCl] Do not enforce TLS when --notlsok option is used

---
 src/XrdCl/XrdClXRootDTransport.cc | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/XrdCl/XrdClXRootDTransport.cc b/src/XrdCl/XrdClXRootDTransport.cc
index f869327aa33..2fcaeb923db 100644
--- a/src/XrdCl/XrdClXRootDTransport.cc
+++ b/src/XrdCl/XrdClXRootDTransport.cc
@@ -1758,6 +1758,13 @@ namespace XrdCl
     XRootDChannelInfo *info = 0;
     channelData.Get( info );
 
+    XrdCl::Env *env = XrdCl::DefaultEnv::GetEnv();
+    int notlsok = DefaultNoTlsOK;
+    env->GetInt( "NoTlsOK", notlsok );
+
+    if( notlsok )
+      return info->encrypted;
+
     // Did the server instructed us to switch to TLS right away?
     if( info->serverFlags & kXR_gotoTLS )
     {
@@ -1894,8 +1901,10 @@ namespace XrdCl
     request->requestid = htons(kXR_protocol);
     request->clientpv  = htonl(kXR_PROTOCOLVERSION);
     request->flags     = ClientProtocolRequest::kXR_secreqs |
-                         ClientProtocolRequest::kXR_bifreqs |
-                         ClientProtocolRequest::kXR_ableTLS;
+                         ClientProtocolRequest::kXR_bifreqs;
+
+    if (info->encrypted)
+      request->flags |= ClientProtocolRequest::kXR_ableTLS;
 
     bool nodata = false;
     if( expect & ClientProtocolRequest::kXR_ExpBind )

From 7d639f1e161ed3939e1c1363a8ceadd0c8df30ad Mon Sep 17 00:00:00 2001
From: Guilherme Amadio <amadio@cern.ch>
Date: Tue, 13 Jun 2023 15:52:34 +0200
Subject: [PATCH 2/2] [XrdClTls] Improve error message on TLS context
 initialization failure

---
 src/XrdCl/XrdClTls.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/XrdCl/XrdClTls.cc b/src/XrdCl/XrdClTls.cc
index 115ee0a4d7d..3b66ff9f334 100644
--- a/src/XrdCl/XrdClTls.cc
+++ b/src/XrdCl/XrdClTls.cc
@@ -112,7 +112,7 @@ namespace XrdCl
     //----------------------------------------------------------------------
     // we only need one instance of TLS
     //----------------------------------------------------------------------
-    std::string emsg;
+    std::string emsg = "Failed to initialize TLS context";
     static XrdTlsContext tlsContext( 0, 0, GetCaDir(), 0, 0, &emsg );
 
     //----------------------------------------------------------------------