When setting the dCache door to use TLS=STRICT,
we are currently excluding all xrootd
clients prior to version 5.
When doors were not multi-protocol for authentication, this was acceptable, but now that a door can
support both GSI and ZTN, it is desirable to
allow clients through which do not have the TLS
capability, while at the same time enforcing
it for ZTN without requiring the xroots
URL protocol to be expressed.
This is perfectly acceptable from the standpoint
of encryption protection since the xrootd
clients which do not support TLS also do
not support either ZTN authentication or
token authorization.
Modification:
Instead of failing the pre-v5 client when
the server has TLS turned on, simply
turn off TLS on the server.
When the authentication protocols are
loaded during login, do not include
ZTN if the server TLS setting is OFF.
Result:
Friendlier behavior towards pre-v5 clients
in a multi-protocol door setting.
Motivation:
When setting the dCache door to use TLS=
STRICT, we are currently excluding all xrootd clients prior to version 5.When doors were not multi-protocol for authentication, this was acceptable, but now that a door can support both GSI and ZTN, it is desirable to allow clients through which do not have the TLS capability, while at the same time enforcing it for ZTN without requiring the
xrootsURL protocol to be expressed.This is perfectly acceptable from the standpoint of encryption protection since the xrootd clients which do not support TLS also do not support either ZTN authentication or token authorization.
Modification:
Instead of failing the pre-v5 client when the server has TLS turned on, simply turn off TLS on the server.
When the authentication protocols are loaded during login, do not include
ZTNif the server TLS setting isOFF.Result:
Friendlier behavior towards pre-v5 clients in a multi-protocol door setting.
WILL REQUIRE ANOTHER LIBRARY UPDATE FOR DCACHE.
Target: master Request: 4.5 Request: 4.4 Request: 4.3 Request: 4.2 Patch: https://rb.dcache.org/r/13939/ Acked-by: Dmitry