[Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2
Mischa Salle
msalle at nikhef.nl
Fri Sep 21 16:44:05 CEST 2018
Right, but looking at
https://github.com/globus/globus-toolkit/pull/124/commits/cef835a5f85537f45f4e00ae92a040d3e66f0570
it says
globus_i_gsi_gssapi_max_tls_protocol = TLS1_2_VERSION;
while the line above
globus_i_gsi_gssapi_min_tls_protocol = TLS1_VERSION;
hasn't changed. So it's unclear to me how you get now the 1.2 ?!
In any case, I think Mattias probably knows better what's going on.
See also https://github.com/globus/globus-toolkit/pull/124
Cheers,
Mischa
On Fri, Sep 21, 2018 at 04:35:34PM +0200, andrea wrote:
> Hi Misha,
>
> with the latest version of the package, now also minimum version of TLS has
> been set to 1.2
>
> cheers
>
> Andrea
>
>
> Il 21.09.18 16:32, Mischa Salle ha scritto:
> > Hi all,
> >
> > I'm a bit confused about this. AFAIK Mattias Ellert has set the
> > *maximum* TLS version to 1.2 since it fails with the new TLS 1.3
> > which has been introduced with OpenSSL 1.1.1. But that should not
> > normally set the *default* version to 1.2? Not entirely sure whether
> > this is the same issue.
> > I'm including him directly in CC to attract attention...
> >
> > Cheers,
> > Mischa
> >
> > On Fri, Sep 21, 2018 at 04:04:55PM +0200, andrea wrote:
> > > Hi Paul
> > >
> > >
> > > Il 21.09.18 15:58, Maarten Litmaath ha scritto:
> > > > CC FTS manager Andrea...
> > > >
> > > > On 09/21/18 15:41, Paul Millar wrote:
> > > > > On 21/09/18 15:33, Maarten Litmaath wrote:
> > > > > > Hi all,
> > > > > > do you have comments on this matter?
> > > > > Is the "pilot" FTS instance finding SRM storage sites that are not
> > > > > supporting TLS v1.2 because the version of globus-gssapi-gsi was
> > > > > updated on that (those) machine(s)?
> > > yes the new package coming from EPEL-testing was installed on 2 of our FTS
> > > pilot nodes
> > > > > Does this problem affect only FTS, or are clients installed on the
> > > > > WN also affected?
> > > anyone using gfal + srm/gridftp will be affected ( if the the server is not
> > > configured with tls 1.2)
> > > > > Has anyone tested a machine with this against any dCache instances?
> > > i just tried INP3 and it looks ok
> > >
> > > cheers
> > > Andrea
> > >
> > > > > For me, the last question is the most pressing.
> > > > >
> > > > > If the answer is "no" then how can we change this, so dCache
> > > > > instances are being tested?
> > > > >
> > > > > Cheers,
> > > > >
> > > > > Paul.
> > > _______________________________________________
> > > Gt-eos mailing list
> > > Gt-eos at mailman.egi.eu
> > > http://mailman.egi.eu/mailman/listinfo/gt-eos
> >
> >
> > _______________________________________________
> > Gt-eos mailing list
> > Gt-eos at mailman.egi.eu
> > http://mailman.egi.eu/mailman/listinfo/gt-eos
>
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email msalle at nikhef.nl
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3402 bytes
Desc: not available
URL: <http://mailman.egi.eu/pipermail/gt-eos/attachments/20180921/53661f51/attachment-0001.p7s>
More information about the Gt-eos
mailing list