Missing CRL verification while establishing HTTP connections

• CRL validation is mandatory in the EGI/WLCG infrastructure
• Only dCache and StoRM correctly deals with CRLs for HTTP-TPC
• Davix / gfal2 no CRL support for HTTP DMC-1235
• DPM HTTP-TPC LCGDM-2959
• Dynafed rely on gfal2 with no CRL support
• XRootD HTTP-TPC xroot#1383 (also used by EOS)
• FTS no CRL support(?)
  • started with XrdSecGSICRLCHECK=0 environment
  • rely on gfal2 with no CRL support for HTTP
• To be checked - Echo
• Brian mentioned CRLs are obsolete and only grid still rely on this revocation mechanism
  • OCSP Stapling - necessary to modify clients
  • Create additional tickets and require OCSP Stapling support?
    • No, GDB is right forum to discuss CRL -> OCSP Stapling

New issues

• XRootD & EOS on CentOS7 don't terminate stuck HTTP-TPC transfers root#1303
  • CentOS7 provide too old libcurl 7.29 (speed limit option)
  • Terminated only by FTS after reaching total transfer timeout (can be hours)
  • FTS has limit for active transfers (per site and per link)
  • GridFTP in gfal2/FTS can be configured with GRIDFTP PLUGIN:PERF_MARKER_TIMEOUT
  • We need something similar for in gfal for HTTP-TPC DMC-1236
• BNL dCache HTTP-TPC push sometimes fails with
  • Failed to select pool: java.lang.IllegalStateException: Replica exists with state: REMOVED
  • Failed to select pool: java.lang.IllegalStateException: Replica exists with state: CACHED
• DPM use client IP in security token while redirecting from headnode to disknode LCGDM-2961
  • Transfers fails if connection to headnode is IPv6 (IPv4) and IPv4 (IPv6) after redirection
  • Client usually use same IP version, but curl supports happy-eyeball since 7.59.0 available in CentOS8
• HTTP-TPC transfers from UNIBE-LHEP to some dCache sites fails GGUS:150314
  • dCache 5.x - failure: java.lang.NullPointerException
  • dCache 6.x - failure: javax.net.ssl.SSLException
  • It is difficult to understand what is going on just from exception class name
  • Occurs probably since Swiss intermediate CA update(?)
    • Is server certificate considered OK if it is valid before (intermediate) CA validity, e.g.
      • QuoVadis Grid ICA G2 - valid Sep 22 2020 ... May 23 2026
      • dpmdisk01.cscs.ch - valid Aug 27 2020 ... Aug 27 2021
• HTTP-TPC transfer from UNIBE-LHEP to one INFN-T1 StoRM endpoint fails
  • ds-102-10-20.cr.cnaf.infn.it - transfer succeeds
  • ds-102-11-20.cr.cnaf.infn.it - transfer fails
    • failure: SSLHandshakeException while fetching https://dpm.lhep.unibe.ch:443/dpm/lhep.unibe.ch/home/atlas/atlasscratchdisk/SAM/test_unibe_dcache.src: java.lang.NullPointerException

Old issues

• INFN-T1 StoRM upload performance GGUS:150181
  • 1GB files with 250 connections transfer test from EOS to INFN-T1 with SRM ~ 62Gb/s
  • 1GB files with 250 connections transfer test from EOS to INFN-T1 with WebDAV ~ 12Gb/s
  • Transfer time plot for SRM+gsiftp vs. WebDAV