[Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2
Maarten Litmaath
Maarten.Litmaath at cern.ch
Fri Sep 21 18:47:49 CEST 2018
Hi Mattias, all,
> There are two different changes here.
>
> The first change was a patch I created when building globus-gssapi-gsi
> version 13.8-3. This patch sets the maximum TLS version used by the
> Globus GSSAPI GSI to 1.2 in order to avoid TLS 1.3. This was done
> because GSI does not work with TLS 1.3 (available in openssl 1.1.1).
>
> I submitted this patch the Globus upstream.
>
> When this patch was accepted upstream, upstream decided to make
> additional changes. One of these changes was to change the default
> minimum TLS version from 1.0 to 1.2. This change was part of the
> changes in version 13.9, and first appeared in the 13.10-1 version of
> the package.
>
> TLS 1.0 and 1.1 are deprecated and their use is discouraged.
Sure, but there is no panic about their continued use at this time.
> It is possible to change the minimum allowed TLS version to 1.0 or 1.1
> in /etc/grid-security/gsi.conf or by using environment variables.
Neither option is viable for WLCG: the default config has to work.
More information about the discuss
mailing list