[Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2
Mattias Ellert
mattias.ellert at physics.uu.se
Fri Sep 21 22:04:19 CEST 2018
fre 2018-09-21 klockan 18:47 +0200 skrev Maarten Litmaath:
> Hi Mattias, all,
>
> > There are two different changes here.
> >
> > The first change was a patch I created when building globus-gssapi-gsi
> > version 13.8-3. This patch sets the maximum TLS version used by the
> > Globus GSSAPI GSI to 1.2 in order to avoid TLS 1.3. This was done
> > because GSI does not work with TLS 1.3 (available in openssl 1.1.1).
> >
> > I submitted this patch the Globus upstream.
> >
> > When this patch was accepted upstream, upstream decided to make
> > additional changes. One of these changes was to change the default
> > minimum TLS version from 1.0 to 1.2. This change was part of the
> > changes in version 13.9, and first appeared in the 13.10-1 version of
> > the package.
> >
> > TLS 1.0 and 1.1 are deprecated and their use is discouraged.
>
> Sure, but there is no panic about their continued use at this time.
>
> > It is possible to change the minimum allowed TLS version to 1.0 or 1.1
> > in /etc/grid-security/gsi.conf or by using environment variables.
>
> Neither option is viable for WLCG: the default config has to work.
I have created:
https://github.com/gridcf/gct/pull/55
Please provide feedback.
Mattias
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5032 bytes
Desc: not available
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20180921/2961e9f7/attachment.p7s>
More information about the discuss
mailing list