[Discuss] disabling TLS 1.0 on myproxy-server

Dave Dykstra dwd at fnal.gov
Fri Sep 13 16:39:57 CEST 2019


Great, thanks Brian.  That works, or setting it to 0 makes it use the globus default of 1.2 only.

Dave

________________________________________
From: Brian Lin <blin at cs.wisc.edu>
Sent: Thursday, September 12, 2019 2:37:15 PM
To: discuss at gridcf.org; Dave Dykstra
Cc: Steven C Timm
Subject: Re: [Discuss] disabling TLS 1.0 on myproxy-server

Hi Dave and Steve,

We reverted the default TLS version to 1.0 a few months ago due to issues with some legacy services: https://github.com/gridcf/gct/pull/55<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_gridcf_gct_pull_55&d=DwMF-g&c=gRgGjJ3BkIsb5y6s49QqsA&r=GuA-VxQ15hY8L8QSEMSiQA&m=aY0zMBRX9TO_17vA-pxFXHKMe2hbNKWD6aKdRP3VS0Y&s=_BfmEelf74WRbcLmMmDo-pMDCeaulGczUcTkUfMDJN8&e=>

I believe that you should be able to set "MIN_TLS_PROTOCOL" to "TLS1_2_VERSION" or "MIN_TLS_PROTOCOL=TLS1_1_VERSION_DEPRECATED" in "/etc/grid-security/gsi.conf" to disable TLS 1.0.

- Brian

On 9/12/19 9:50 AM, Steven C Timm via discuss wrote:
I just filed support.opensciencegrid.org ticket #28033 asking the same question.
Jim Basney is here at Fermilab today as are a couple of the OSG software people--hopefully we can sort this out.

Thanks

Steve

________________________________
From: Dave Dykstra <dwd at fnal.gov><mailto:dwd at fnal.gov>
Sent: Thursday, September 12, 2019 9:42 AM
To: discuss at gridcf.org<mailto:discuss at gridcf.org> <discuss at gridcf.org><mailto:discuss at gridcf.org>
Cc: Steven C Timm <timm at fnal.gov><mailto:timm at fnal.gov>
Subject: disabling TLS 1.0 on myproxy-server

Hello all,

Does the latest version of the gct disable TLS 1.0?  I think I have
the latest version of the globus libraries from epel and the latest
myproxy-server, but I still see myproxy-server accepting TLSv1.  Is
there some configuration to disable it?

    $ rpm -qa|egrep "(globus|osg)"|sort
    globus-callout-4.1-1.el6.x86_64
    globus-common-18.2-1.el6.x86_64
    globus-gsi-callback-6.1-1.el6.x86_64
    globus-gsi-cert-utils-10.2-1.el6.x86_64
    globus-gsi-cert-utils-progs-10.2-1.el6.noarch
    globus-gsi-credential-8.1-1.el6.x86_64
    globus-gsi-openssl-error-4.1-1.el6.x86_64
    globus-gsi-proxy-core-9.2-1.el6.x86_64
    globus-gsi-proxy-ssl-6.1-1.el6.x86_64
    globus-gsi-sysconfig-9.2-1.el6.x86_64
    globus-gssapi-gsi-14.10-1.el6.x86_64
    globus-gss-assist-12.2-1.el6.x86_64
    globus-openssl-module-5.1-1.el6.x86_64
    globus-proxy-utils-7.1-1.el6.x86_64
    globus-usage-5.0-1.el6.x86_64
    globus-xio-6.1-1.el6.x86_64
    myproxy-6.2.4-1.1.osg34.el6.x86_64
    myproxy-admin-6.2.4-1.1.osg34.el6.x86_64
    myproxy-doc-6.2.4-1.1.osg34.el6.noarch
    myproxy-libs-6.2.4-1.1.osg34.el6.x86_64
    myproxy-server-6.2.4-1.1.osg34.el6.x86_64
    osg-ca-certs-1.83-1.osg34.el6.noarch
    osg-ca-certs-updater-1.8-1.osg34.el6.noarch
    osg-release-3.4-8.osg34.el6.noarch
    $ sslscan fermicloud343:7512|grep Accepted
        Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
        Accepted  TLSv1  256 bits  AECDH-AES256-SHA
        Accepted  TLSv1  256 bits  AES256-SHA
        Accepted  TLSv1  256 bits  CAMELLIA256-SHA
        Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
        Accepted  TLSv1  128 bits  AECDH-AES128-SHA
        Accepted  TLSv1  128 bits  AES128-SHA
        Accepted  TLSv1  128 bits  CAMELLIA128-SHA
        Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
        Accepted  TLSv1  112 bits  AECDH-DES-CBC3-SHA
        Accepted  TLSv1  112 bits  DES-CBC3-SHA
        Accepted  TLS11  256 bits  ECDHE-RSA-AES256-SHA
        Accepted  TLS11  256 bits  AECDH-AES256-SHA
        Accepted  TLS11  256 bits  AES256-SHA
        Accepted  TLS11  256 bits  CAMELLIA256-SHA
        Accepted  TLS11  128 bits  ECDHE-RSA-AES128-SHA
        Accepted  TLS11  128 bits  AECDH-AES128-SHA
        Accepted  TLS11  128 bits  AES128-SHA
        Accepted  TLS11  128 bits  CAMELLIA128-SHA
        Accepted  TLS11  112 bits  ECDHE-RSA-DES-CBC3-SHA
        Accepted  TLS11  112 bits  AECDH-DES-CBC3-SHA
        Accepted  TLS11  112 bits  DES-CBC3-SHA
        Accepted  TLS12  256 bits  ECDHE-RSA-AES256-GCM-SHA384
        Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA384
        Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA
        Accepted  TLS12  256 bits  AECDH-AES256-SHA
        Accepted  TLS12  256 bits  AES256-GCM-SHA384
        Accepted  TLS12  256 bits  AES256-SHA256
        Accepted  TLS12  256 bits  AES256-SHA
        Accepted  TLS12  256 bits  CAMELLIA256-SHA
        Accepted  TLS12  128 bits  ECDHE-RSA-AES128-GCM-SHA256
        Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA256
        Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA
        Accepted  TLS12  128 bits  AECDH-AES128-SHA
        Accepted  TLS12  128 bits  AES128-GCM-SHA256
        Accepted  TLS12  128 bits  AES128-SHA256
        Accepted  TLS12  128 bits  AES128-SHA
        Accepted  TLS12  128 bits  CAMELLIA128-SHA
        Accepted  TLS12  112 bits  ECDHE-RSA-DES-CBC3-SHA
        Accepted  TLS12  112 bits  AECDH-DES-CBC3-SHA
        Accepted  TLS12  112 bits  DES-CBC3-SHA

Dave



_______________________________________________
discuss mailing list
discuss at gridcf.org<mailto:discuss at gridcf.org>
https://mailman.egi.eu/mailman/listinfo/discuss<https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.egi.eu_mailman_listinfo_discuss&d=DwMF-g&c=gRgGjJ3BkIsb5y6s49QqsA&r=GuA-VxQ15hY8L8QSEMSiQA&m=aY0zMBRX9TO_17vA-pxFXHKMe2hbNKWD6aKdRP3VS0Y&s=4xmJNAiJ49F6ePxj5UgolBPoeoy7fhG0hkQzjM4ZIJg&e=>





More information about the discuss mailing list