[Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2

Mattias Ellert mattias.ellert at physics.uu.se
Sat Sep 22 07:53:32 CEST 2018 

I have applied the proposed patch in the pending update in Fedora.

Meanwhile, some new information from the GGUS ticket:

On th GGUS ticket the admin on the site says they are using globus-
gssapi-gsi 11.22-1. This version is quite old (September 2015).

In versions before 11.26 (January 2016) there was a bug that meant that
using the FORCE_TLS option meant forcing TLS 1.0, i.e. it also disabled
TLS 1.1 and 1.2, and no only SSLv3.

Starting from version 12.15 (April 2017) support for SSLv3 was dropped,
and only TLS allowed.

How common is it for sites to have globus-gssapi-gsi versions before
11.26 installed and also setting the FORCE_TLS option in gsi.conf?

	Mattias

fre 2018-09-21 klockan 20:20 +0000 skrev Maarten Litmaath:
> Hi Mattias,
> that looks great, thanks very much!  I do not have the rights to approve it...
> 
> ________________________________________
> From: Mattias Ellert [mattias.ellert at physics.uu.se]
> Sent: 21 September 2018 22:04
> To: Maarten Litmaath; Mischa Sallé; End of Support of Globus Toolkit
> Cc: Paul Millar; wlcg-middleware-officer (Group of people with WLCG MW Officer function)
> Subject: Re: [Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2
> 
> fre 2018-09-21 klockan 18:47 +0200 skrev Maarten Litmaath:
> > Hi Mattias, all,
> > 
> > > There are two different changes here.
> > > 
> > > The first change was a patch I created when building globus-gssapi-gsi
> > > version 13.8-3. This patch sets the maximum TLS version used by the
> > > Globus GSSAPI GSI to 1.2 in order to avoid TLS 1.3. This was done
> > > because GSI does not work with TLS 1.3 (available in openssl 1.1.1).
> > > 
> > > I submitted this patch the Globus upstream.
> > > 
> > > When this patch was accepted upstream, upstream decided to make
> > > additional changes. One of these changes was to change the default
> > > minimum TLS version from 1.0 to 1.2. This change was part of the
> > > changes in version 13.9, and first appeared in the 13.10-1 version of
> > > the package.
> > > 
> > > TLS 1.0 and 1.1 are deprecated and their use is discouraged.
> > 
> > Sure, but there is no panic about their continued use at this time.
> > 
> > > It is possible to change the minimum allowed TLS version to 1.0 or 1.1
> > > in /etc/grid-security/gsi.conf or by using environment variables.
> > 
> > Neither option is viable for WLCG: the default config has to work.
> 
> I have created:
> 
> https://github.com/gridcf/gct/pull/55
> 
> Please provide feedback.
> 
>         Mattias
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5032 bytes
Desc: not available
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20180922/df41458c/attachment.p7s>

More information about the discuss mailing list