Fix CRL verification bug #461
Conversation
|
Thanks for reporting. |
|
I am not quite sure what the server configuration is, I debugged this from the client side. The file that I found which I had access to and that triggered the problem was: The same file has replicas at other servers and those where not affected. If I used --debug 3 option to xrdcp I found this for the server that did not work: [2017-02-10 17:32:27.470539 +0100][Debug ][XRootDTransport ] [fax.mwt2.org:1094 #0.0] kXR_protocol successful (type: manager [], protocol version 289) Whereas a server where the download worked says: [2017-02-10 17:36:49.514501 +0100][Debug ][XRootDTransport ] [sedoor1.bfg.uni-freiburg.de:1094 #0.0] kXR_protocol successful (type: server [], protocol version 310) So the servers report different protocol versions (289 vs. 310) and the format for the ca option is different - the older server reports the only the md5 hash while the newer version reports both md5 and sha1, but more importantly the older version reports the hash only, while the newer version appends ".0" to the hashes (ca:d690e530 vs. ca:7ecb2657.0|dd4b34ea.0). |
|
Ok, I see. That seems a really old server version, before 2011 at least. |
Make sure that for comparison a final ".0" is present. See PR #461 .
Make sure that for comparison a final ".0" is present. See PR #461 .
Hi!
After uploading xrootd 4.6.0 to Fedora and EPEL I got some feedback that authentication failed with many sites, see:
https://bodhi.fedoraproject.org/updates/FEDORA-2017-0eca8dbb12
I could reproduce the problem, and this is my proposed fix.
This issue was not caused by the changes to support openssl 1.1.0, but was introduced with the improvements to the CRL handling that was part of the 4.6.0 release.