[Discuss] disabling TLS 1.0 on myproxy-server
Steven C Timm
timm at fnal.gov
Thu Sep 12 16:50:45 CEST 2019
I just filed support.opensciencegrid.org ticket #28033 asking the same question.
Jim Basney is here at Fermilab today as are a couple of the OSG software people--hopefully we can sort this out.
Thanks
Steve
________________________________
From: Dave Dykstra <dwd at fnal.gov>
Sent: Thursday, September 12, 2019 9:42 AM
To: discuss at gridcf.org <discuss at gridcf.org>
Cc: Steven C Timm <timm at fnal.gov>
Subject: disabling TLS 1.0 on myproxy-server
Hello all,
Does the latest version of the gct disable TLS 1.0? I think I have
the latest version of the globus libraries from epel and the latest
myproxy-server, but I still see myproxy-server accepting TLSv1. Is
there some configuration to disable it?
$ rpm -qa|egrep "(globus|osg)"|sort
globus-callout-4.1-1.el6.x86_64
globus-common-18.2-1.el6.x86_64
globus-gsi-callback-6.1-1.el6.x86_64
globus-gsi-cert-utils-10.2-1.el6.x86_64
globus-gsi-cert-utils-progs-10.2-1.el6.noarch
globus-gsi-credential-8.1-1.el6.x86_64
globus-gsi-openssl-error-4.1-1.el6.x86_64
globus-gsi-proxy-core-9.2-1.el6.x86_64
globus-gsi-proxy-ssl-6.1-1.el6.x86_64
globus-gsi-sysconfig-9.2-1.el6.x86_64
globus-gssapi-gsi-14.10-1.el6.x86_64
globus-gss-assist-12.2-1.el6.x86_64
globus-openssl-module-5.1-1.el6.x86_64
globus-proxy-utils-7.1-1.el6.x86_64
globus-usage-5.0-1.el6.x86_64
globus-xio-6.1-1.el6.x86_64
myproxy-6.2.4-1.1.osg34.el6.x86_64
myproxy-admin-6.2.4-1.1.osg34.el6.x86_64
myproxy-doc-6.2.4-1.1.osg34.el6.noarch
myproxy-libs-6.2.4-1.1.osg34.el6.x86_64
myproxy-server-6.2.4-1.1.osg34.el6.x86_64
osg-ca-certs-1.83-1.osg34.el6.noarch
osg-ca-certs-updater-1.8-1.osg34.el6.noarch
osg-release-3.4-8.osg34.el6.noarch
$ sslscan fermicloud343:7512|grep Accepted
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AECDH-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 256 bits CAMELLIA256-SHA
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AECDH-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits CAMELLIA128-SHA
Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA
Accepted TLSv1 112 bits AECDH-DES-CBC3-SHA
Accepted TLSv1 112 bits DES-CBC3-SHA
Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS11 256 bits AECDH-AES256-SHA
Accepted TLS11 256 bits AES256-SHA
Accepted TLS11 256 bits CAMELLIA256-SHA
Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA
Accepted TLS11 128 bits AECDH-AES128-SHA
Accepted TLS11 128 bits AES128-SHA
Accepted TLS11 128 bits CAMELLIA128-SHA
Accepted TLS11 112 bits ECDHE-RSA-DES-CBC3-SHA
Accepted TLS11 112 bits AECDH-DES-CBC3-SHA
Accepted TLS11 112 bits DES-CBC3-SHA
Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS12 256 bits AECDH-AES256-SHA
Accepted TLS12 256 bits AES256-GCM-SHA384
Accepted TLS12 256 bits AES256-SHA256
Accepted TLS12 256 bits AES256-SHA
Accepted TLS12 256 bits CAMELLIA256-SHA
Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256
Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA
Accepted TLS12 128 bits AECDH-AES128-SHA
Accepted TLS12 128 bits AES128-GCM-SHA256
Accepted TLS12 128 bits AES128-SHA256
Accepted TLS12 128 bits AES128-SHA
Accepted TLS12 128 bits CAMELLIA128-SHA
Accepted TLS12 112 bits ECDHE-RSA-DES-CBC3-SHA
Accepted TLS12 112 bits AECDH-DES-CBC3-SHA
Accepted TLS12 112 bits DES-CBC3-SHA
Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20190912/47bfa517/attachment.html>
More information about the discuss
mailing list