[Gt-eos] New globus-gssapi-gsi version default to TLSv1.2

Tue Sep 25 15:32:02 CEST 2018

Hi Maarten,

As a follow-up:

I've contacted all the OSG sites that Andrea pointed out as still running bestman2.  They are all acutely aware that they need to retire the service.  All three are working on the subject and, I suspect, will have retired them in a month or two.

For CERN's instance - please contact FNAL.  I think they may have some custom patches that enables TLS v1.2 in order to pass the DOE scans.  I don't have the technical details, but I believe Burt Holzman might.

Brian

> On Sep 22, 2018, at 9:27 AM, Maarten Litmaath <Maarten.Litmaath at cern.ch> wrote:
> 
> Hi all,
> we found a few instances using very old versions of globus-gssapi-gsi:
> those cases just need to upgrade like all the other ones did. However,
> our main worry is about instances of the BeStMan SRM, in particular on
> the EOS services at CERN: that code is implemented in Java + Jetty +
> JGlobus and so far we did not manage to make it accept TLS v1.2.  :-(
> 
> ________________________________________
> From: Mattias Ellert [mattias.ellert at physics.uu.se]
> Sent: 22 September 2018 07:53
> To: Maarten Litmaath; Mischa Sallé; End of Support of Globus Toolkit
> Cc: Paul Millar; wlcg-middleware-officer (Group of people with WLCG MW Officer function)
> Subject: Re: [Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2
> 
> I have applied the proposed patch in the pending update in Fedora.
> 
> Meanwhile, some new information from the GGUS ticket:
> 
> On th GGUS ticket the admin on the site says they are using globus-
> gssapi-gsi 11.22-1. This version is quite old (September 2015).
> 
> In versions before 11.26 (January 2016) there was a bug that meant that
> using the FORCE_TLS option meant forcing TLS 1.0, i.e. it also disabled
> TLS 1.1 and 1.2, and no only SSLv3.
> 
> Starting from version 12.15 (April 2017) support for SSLv3 was dropped,
> and only TLS allowed.
> 
> How common is it for sites to have globus-gssapi-gsi versions before
> 11.26 installed and also setting the FORCE_TLS option in gsi.conf?
> 
>        Mattias
> 
> fre 2018-09-21 klockan 20:20 +0000 skrev Maarten Litmaath:
>> Hi Mattias,
>> that looks great, thanks very much!  I do not have the rights to approve it...
>> 
>> ________________________________________
>> From: Mattias Ellert [mattias.ellert at physics.uu.se]
>> Sent: 21 September 2018 22:04
>> To: Maarten Litmaath; Mischa Sallé; End of Support of Globus Toolkit
>> Cc: Paul Millar; wlcg-middleware-officer (Group of people with WLCG MW Officer function)
>> Subject: Re: [Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2
>> 
>> fre 2018-09-21 klockan 18:47 +0200 skrev Maarten Litmaath:
>>> Hi Mattias, all,
>>> 
>>>> There are two different changes here.
>>>> 
>>>> The first change was a patch I created when building globus-gssapi-gsi
>>>> version 13.8-3. This patch sets the maximum TLS version used by the
>>>> Globus GSSAPI GSI to 1.2 in order to avoid TLS 1.3. This was done
>>>> because GSI does not work with TLS 1.3 (available in openssl 1.1.1).
>>>> 
>>>> I submitted this patch the Globus upstream.
>>>> 
>>>> When this patch was accepted upstream, upstream decided to make
>>>> additional changes. One of these changes was to change the default
>>>> minimum TLS version from 1.0 to 1.2. This change was part of the
>>>> changes in version 13.9, and first appeared in the 13.10-1 version of
>>>> the package.
>>>> 
>>>> TLS 1.0 and 1.1 are deprecated and their use is discouraged.
>>> 
>>> Sure, but there is no panic about their continued use at this time.
>>> 
>>>> It is possible to change the minimum allowed TLS version to 1.0 or 1.1
>>>> in /etc/grid-security/gsi.conf or by using environment variables.
>>> 
>>> Neither option is viable for WLCG: the default config has to work.
>> 
>> I have created:
>> 
>> https://github.com/gridcf/gct/pull/55
>> 
>> Please provide feedback.
>> 
>>        Mattias
>> 
> 
> 
> _______________________________________________
> Gt-eos mailing list
> Gt-eos at mailman.egi.eu
> http://mailman.egi.eu/mailman/listinfo/gt-eos