[Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2

Maarten Litmaath Maarten.Litmaath at cern.ch
Sat Sep 22 15:27:37 CEST 2018


Hi all,
we found a few instances using very old versions of globus-gssapi-gsi:
those cases just need to upgrade like all the other ones did. However,
our main worry is about instances of the BeStMan SRM, in particular on
the EOS services at CERN: that code is implemented in Java + Jetty +
JGlobus and so far we did not manage to make it accept TLS v1.2.  :-(

________________________________________
From: Mattias Ellert [mattias.ellert at physics.uu.se]
Sent: 22 September 2018 07:53
To: Maarten Litmaath; Mischa Sallé; End of Support of Globus Toolkit
Cc: Paul Millar; wlcg-middleware-officer (Group of people with WLCG MW Officer function)
Subject: Re: [Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2

I have applied the proposed patch in the pending update in Fedora.

Meanwhile, some new information from the GGUS ticket:

On th GGUS ticket the admin on the site says they are using globus-
gssapi-gsi 11.22-1. This version is quite old (September 2015).

In versions before 11.26 (January 2016) there was a bug that meant that
using the FORCE_TLS option meant forcing TLS 1.0, i.e. it also disabled
TLS 1.1 and 1.2, and no only SSLv3.

Starting from version 12.15 (April 2017) support for SSLv3 was dropped,
and only TLS allowed.

How common is it for sites to have globus-gssapi-gsi versions before
11.26 installed and also setting the FORCE_TLS option in gsi.conf?

        Mattias

fre 2018-09-21 klockan 20:20 +0000 skrev Maarten Litmaath:
> Hi Mattias,
> that looks great, thanks very much!  I do not have the rights to approve it...
>
> ________________________________________
> From: Mattias Ellert [mattias.ellert at physics.uu.se]
> Sent: 21 September 2018 22:04
> To: Maarten Litmaath; Mischa Sallé; End of Support of Globus Toolkit
> Cc: Paul Millar; wlcg-middleware-officer (Group of people with WLCG MW Officer function)
> Subject: Re: [Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2
>
> fre 2018-09-21 klockan 18:47 +0200 skrev Maarten Litmaath:
> > Hi Mattias, all,
> >
> > > There are two different changes here.
> > >
> > > The first change was a patch I created when building globus-gssapi-gsi
> > > version 13.8-3. This patch sets the maximum TLS version used by the
> > > Globus GSSAPI GSI to 1.2 in order to avoid TLS 1.3. This was done
> > > because GSI does not work with TLS 1.3 (available in openssl 1.1.1).
> > >
> > > I submitted this patch the Globus upstream.
> > >
> > > When this patch was accepted upstream, upstream decided to make
> > > additional changes. One of these changes was to change the default
> > > minimum TLS version from 1.0 to 1.2. This change was part of the
> > > changes in version 13.9, and first appeared in the 13.10-1 version of
> > > the package.
> > >
> > > TLS 1.0 and 1.1 are deprecated and their use is discouraged.
> >
> > Sure, but there is no panic about their continued use at this time.
> >
> > > It is possible to change the minimum allowed TLS version to 1.0 or 1.1
> > > in /etc/grid-security/gsi.conf or by using environment variables.
> >
> > Neither option is viable for WLCG: the default config has to work.
>
> I have created:
>
> https://github.com/gridcf/gct/pull/55
>
> Please provide feedback.
>
>         Mattias
>





More information about the discuss mailing list