[Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2
Maarten Litmaath
Maarten.Litmaath at cern.ch
Fri Sep 21 22:20:56 CEST 2018
Hi Mattias,
that looks great, thanks very much! I do not have the rights to approve it...
________________________________________
From: Mattias Ellert [mattias.ellert at physics.uu.se]
Sent: 21 September 2018 22:04
To: Maarten Litmaath; Mischa Sallé; End of Support of Globus Toolkit
Cc: Paul Millar; wlcg-middleware-officer (Group of people with WLCG MW Officer function)
Subject: Re: [Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2
fre 2018-09-21 klockan 18:47 +0200 skrev Maarten Litmaath:
> Hi Mattias, all,
>
> > There are two different changes here.
> >
> > The first change was a patch I created when building globus-gssapi-gsi
> > version 13.8-3. This patch sets the maximum TLS version used by the
> > Globus GSSAPI GSI to 1.2 in order to avoid TLS 1.3. This was done
> > because GSI does not work with TLS 1.3 (available in openssl 1.1.1).
> >
> > I submitted this patch the Globus upstream.
> >
> > When this patch was accepted upstream, upstream decided to make
> > additional changes. One of these changes was to change the default
> > minimum TLS version from 1.0 to 1.2. This change was part of the
> > changes in version 13.9, and first appeared in the 13.10-1 version of
> > the package.
> >
> > TLS 1.0 and 1.1 are deprecated and their use is discouraged.
>
> Sure, but there is no panic about their continued use at this time.
>
> > It is possible to change the minimum allowed TLS version to 1.0 or 1.1
> > in /etc/grid-security/gsi.conf or by using environment variables.
>
> Neither option is viable for WLCG: the default config has to work.
I have created:
https://github.com/gridcf/gct/pull/55
Please provide feedback.
Mattias
More information about the discuss
mailing list