<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Dave and Steve,<br>
<br>
We reverted the default TLS version to 1.0 a few months ago due to issues with some legacy services:
<a class="moz-txt-link-freetext" href="https://github.com/gridcf/gct/pull/55">https://github.com/gridcf/gct/pull/55</a><br>
<br>
I believe that you should be able to set "MIN_TLS_PROTOCOL" to "TLS1_2_VERSION" or "MIN_TLS_PROTOCOL=TLS1_1_VERSION_DEPRECATED" in "/etc/grid-security/gsi.conf" to disable TLS 1.0.<br>
<br>
- Brian<br>
<br>
<div class="moz-cite-prefix">On 9/12/19 9:50 AM, Steven C Timm via discuss wrote:<br>
</div>
<blockquote type="cite" cite="mid:DM6PR09MB2618948A13ACD6A06A22C862B2B00@DM6PR09MB2618.namprd09.prod.outlook.com">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
I just filed support.opensciencegrid.org ticket #28033 asking the same question.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Jim Basney is here at Fermilab today as are a couple of the OSG software people--hopefully we can sort this out.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Thanks</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Steve</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Dave Dykstra
<a class="moz-txt-link-rfc2396E" href="mailto:dwd@fnal.gov"><dwd@fnal.gov></a><br>
<b>Sent:</b> Thursday, September 12, 2019 9:42 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:discuss@gridcf.org">discuss@gridcf.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:discuss@gridcf.org"><discuss@gridcf.org></a><br>
<b>Cc:</b> Steven C Timm <a class="moz-txt-link-rfc2396E" href="mailto:timm@fnal.gov">
<timm@fnal.gov></a><br>
<b>Subject:</b> disabling TLS 1.0 on myproxy-server</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">Hello all,<br>
<br>
Does the latest version of the gct disable TLS 1.0? I think I have<br>
the latest version of the globus libraries from epel and the latest<br>
myproxy-server, but I still see myproxy-server accepting TLSv1. Is<br>
there some configuration to disable it?<br>
<br>
$ rpm -qa|egrep "(globus|osg)"|sort<br>
globus-callout-4.1-1.el6.x86_64<br>
globus-common-18.2-1.el6.x86_64<br>
globus-gsi-callback-6.1-1.el6.x86_64<br>
globus-gsi-cert-utils-10.2-1.el6.x86_64<br>
globus-gsi-cert-utils-progs-10.2-1.el6.noarch<br>
globus-gsi-credential-8.1-1.el6.x86_64<br>
globus-gsi-openssl-error-4.1-1.el6.x86_64<br>
globus-gsi-proxy-core-9.2-1.el6.x86_64<br>
globus-gsi-proxy-ssl-6.1-1.el6.x86_64<br>
globus-gsi-sysconfig-9.2-1.el6.x86_64<br>
globus-gssapi-gsi-14.10-1.el6.x86_64<br>
globus-gss-assist-12.2-1.el6.x86_64<br>
globus-openssl-module-5.1-1.el6.x86_64<br>
globus-proxy-utils-7.1-1.el6.x86_64<br>
globus-usage-5.0-1.el6.x86_64<br>
globus-xio-6.1-1.el6.x86_64<br>
myproxy-6.2.4-1.1.osg34.el6.x86_64<br>
myproxy-admin-6.2.4-1.1.osg34.el6.x86_64<br>
myproxy-doc-6.2.4-1.1.osg34.el6.noarch<br>
myproxy-libs-6.2.4-1.1.osg34.el6.x86_64<br>
myproxy-server-6.2.4-1.1.osg34.el6.x86_64<br>
osg-ca-certs-1.83-1.osg34.el6.noarch<br>
osg-ca-certs-updater-1.8-1.osg34.el6.noarch<br>
osg-release-3.4-8.osg34.el6.noarch<br>
$ sslscan fermicloud343:7512|grep Accepted<br>
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA<br>
Accepted TLSv1 256 bits AECDH-AES256-SHA<br>
Accepted TLSv1 256 bits AES256-SHA<br>
Accepted TLSv1 256 bits CAMELLIA256-SHA<br>
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA<br>
Accepted TLSv1 128 bits AECDH-AES128-SHA<br>
Accepted TLSv1 128 bits AES128-SHA<br>
Accepted TLSv1 128 bits CAMELLIA128-SHA<br>
Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA<br>
Accepted TLSv1 112 bits AECDH-DES-CBC3-SHA<br>
Accepted TLSv1 112 bits DES-CBC3-SHA<br>
Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA<br>
Accepted TLS11 256 bits AECDH-AES256-SHA<br>
Accepted TLS11 256 bits AES256-SHA<br>
Accepted TLS11 256 bits CAMELLIA256-SHA<br>
Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA<br>
Accepted TLS11 128 bits AECDH-AES128-SHA<br>
Accepted TLS11 128 bits AES128-SHA<br>
Accepted TLS11 128 bits CAMELLIA128-SHA<br>
Accepted TLS11 112 bits ECDHE-RSA-DES-CBC3-SHA<br>
Accepted TLS11 112 bits AECDH-DES-CBC3-SHA<br>
Accepted TLS11 112 bits DES-CBC3-SHA<br>
Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384<br>
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384<br>
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA<br>
Accepted TLS12 256 bits AECDH-AES256-SHA<br>
Accepted TLS12 256 bits AES256-GCM-SHA384<br>
Accepted TLS12 256 bits AES256-SHA256<br>
Accepted TLS12 256 bits AES256-SHA<br>
Accepted TLS12 256 bits CAMELLIA256-SHA<br>
Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256<br>
Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256<br>
Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA<br>
Accepted TLS12 128 bits AECDH-AES128-SHA<br>
Accepted TLS12 128 bits AES128-GCM-SHA256<br>
Accepted TLS12 128 bits AES128-SHA256<br>
Accepted TLS12 128 bits AES128-SHA<br>
Accepted TLS12 128 bits CAMELLIA128-SHA<br>
Accepted TLS12 112 bits ECDHE-RSA-DES-CBC3-SHA<br>
Accepted TLS12 112 bits AECDH-DES-CBC3-SHA<br>
Accepted TLS12 112 bits DES-CBC3-SHA<br>
<br>
Dave<br>
</div>
</span></font></div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:discuss@gridcf.org">discuss@gridcf.org</a>
<a class="moz-txt-link-freetext" href="https://mailman.egi.eu/mailman/listinfo/discuss">https://mailman.egi.eu/mailman/listinfo/discuss</a>
</pre>
</blockquote>
<br>
</body>
</html>