[Gt-eos] TLS 1.3

Frank Scheiner scheiner at hlrs.de
Thu Jun 7 17:24:34 CEST 2018


Hi Mischa, Mattias,

sorry for my late reply.

In short, I didn't want to ignore TLSv1.3, but until we have a 
compatible GSI implementation, a workaround - like the one Mattias 
implemented in no time - would unbreak gct with OpenSSL 1.1.1. And the 
existence of TLSv1.3 doesn't automatically make TLSv1.2 inappropriate.

On 05/25/2018 12:56 PM, Mischa Salle wrote:
>> For now could it not also be possible to link to OpenSSL 1.1.1 and
>> still limit usage of TLS to TLSv1.2?
> I guess (although I couldn't yet figure out with a quick look how)
> that it is possible to compile code against OpenSSL such that it will
> default to TLSv1.2 (or something else) and never try TLSv1.3. On the
> other hand, it would be nice if we could make the globus-gsi code
> TLSv1.3 compliant.

Sure. On the other hand maybe a little extra wait time - until the 
experts have confirmed that TLSv1.3 is free of any deliberately 
integrated flaws - wouldn't be unjustified. Because of Eric Rescorla 
being involved in TLSv1.3. Just search for "Eric Rescorla nsa" for some 
background. And if you understand German, [1] might also be a good start.

[1]: https://blog.fefe.de/?ts=a5f2f969

On 05/25/2018 02:21 PM, Mattias Ellert wrote:
>>> For now could it not also be possible to link to OpenSSL 1.1.1 and still
>>> limit usage of TLS to TLSv1.2?
>>
>> I guess (although I couldn't yet figure out with a quick look how) that
>> it is possible to compile code against OpenSSL such that it will default
>> to TLSv1.2 (or something else) and never try TLSv1.3. On the other hand,
>> it would be nice if we could make the globus-gsi code TLSv1.3 compliant.
> 
> I have created a PR that sets the maximum TLS version to 1.2, which
> allows thing to run. But I consider this to be a temporary solution and
> I too would like the code to be fixed to work with TLS 1.3.
> 
> https://github.com/gridcf/gct/pull/44

Great! Thanks for that.

Cheers,
Frank

-- 
Frank Scheiner

High Performance Computing Center Stuttgart (HLRS)
Department Project User Management & Accounting

Email: scheiner at hlrs.de
Phone: +49 711 685 68039

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2293 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20180607/c7658388/attachment.p7s>


More information about the discuss mailing list