[Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2

Mattias Ellert mattias.ellert at physics.uu.se
Fri Sep 21 18:41:23 CEST 2018


Hi!

There are two different changes here.

The first change was a patch I created when building globus-gssapi-gsi
version 13.8-3. This patch sets the maximum TLS version used by the
Globus GSSAPI GSI to 1.2 in order to avoid TLS 1.3. This was done
because GSI does not work with TLS 1.3 (available in openssl 1.1.1).

I submitted this patch the Globus upstream.

When this patch was accepted upstream, upstream decided to make
additional changes. One of these changes was to change the default
minimum TLS version from 1.0 to 1.2. This change was part of the
changes in version 13.9, and first appeared in the 13.10-1 version of
the package.

TLS 1.0 and 1.1 are deprecated and their use is discouraged.

It is possible to change the minimum allowed TLS version to 1.0 or 1.1
in /etc/grid-security/gsi.conf or by using environment variables.

Using even older SSLv3 is not possible - and has not been possible
since version 12.15 (April 2017).

	Mattias

fre 2018-09-21 klockan 16:32 +0200 skrev Mischa Salle:
> Hi all,
> 
> I'm a bit confused about this. AFAIK Mattias Ellert has set the
> *maximum* TLS version to 1.2 since it fails with the new TLS 1.3
> which has been introduced with OpenSSL 1.1.1. But that should not
> normally set the *default* version to 1.2? Not entirely sure whether
> this is the same issue.
> I'm including him directly in CC to attract attention...
> 
>     Cheers,
>     Mischa
> 
> On Fri, Sep 21, 2018 at 04:04:55PM +0200, andrea wrote:
> > Hi Paul
> > 
> > 
> > Il 21.09.18 15:58, Maarten Litmaath ha scritto:
> > > CC FTS manager Andrea...
> > > 
> > > On 09/21/18 15:41, Paul Millar wrote:
> > > > On 21/09/18 15:33, Maarten Litmaath wrote:
> > > > > Hi all,
> > > > > do you have comments on this matter?
> > > > 
> > > > Is the "pilot" FTS instance finding SRM storage sites that are not
> > > > supporting TLS v1.2 because the version of globus-gssapi-gsi was
> > > > updated on that (those) machine(s)?
> > 
> > yes the new package coming from EPEL-testing was installed on 2 of our FTS
> > pilot nodes
> > > > 
> > > > Does this problem affect only FTS, or are clients installed on the
> > > > WN also affected?
> > 
> > anyone using gfal + srm/gridftp will be affected ( if the the server is not
> > configured with tls 1.2)
> > > > 
> > > > Has anyone tested a machine with this against any dCache instances?
> > 
> > i just tried INP3 and it looks ok
> > 
> > cheers
> > Andrea
> > 
> > > > 
> > > > For me, the last question is the most pressing.
> > > > 
> > > > If the answer is "no" then how can we change this, so dCache
> > > > instances are being tested?
> > > > 
> > > > Cheers,
> > > > 
> > > > Paul.
> > 
> > _______________________________________________
> > Gt-eos mailing list
> > Gt-eos at mailman.egi.eu
> > http://mailman.egi.eu/mailman/listinfo/gt-eos
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5032 bytes
Desc: not available
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20180921/6245ac5a/attachment.p7s>


More information about the discuss mailing list