[Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2

Mischa Salle msalle at nikhef.nl
Fri Sep 21 16:44:05 CEST 2018


Right, but looking at
https://github.com/globus/globus-toolkit/pull/124/commits/cef835a5f85537f45f4e00ae92a040d3e66f0570
it says
    globus_i_gsi_gssapi_max_tls_protocol = TLS1_2_VERSION;
while the line above
    globus_i_gsi_gssapi_min_tls_protocol = TLS1_VERSION;
hasn't changed. So it's unclear to me how you get now the 1.2 ?!
In any case, I think Mattias probably knows better what's going on.
See also https://github.com/globus/globus-toolkit/pull/124

    Cheers,
    Mischa



On Fri, Sep 21, 2018 at 04:35:34PM +0200, andrea wrote:
> Hi Misha,
> 
> with the latest version of the package, now also minimum version of TLS has
> been set to 1.2
> 
> cheers
> 
> Andrea
> 
> 
> Il 21.09.18 16:32, Mischa Salle ha scritto:
> > Hi all,
> > 
> > I'm a bit confused about this. AFAIK Mattias Ellert has set the
> > *maximum* TLS version to 1.2 since it fails with the new TLS 1.3
> > which has been introduced with OpenSSL 1.1.1. But that should not
> > normally set the *default* version to 1.2? Not entirely sure whether
> > this is the same issue.
> > I'm including him directly in CC to attract attention...
> > 
> >      Cheers,
> >      Mischa
> > 
> > On Fri, Sep 21, 2018 at 04:04:55PM +0200, andrea wrote:
> > > Hi Paul
> > > 
> > > 
> > > Il 21.09.18 15:58, Maarten Litmaath ha scritto:
> > > > CC FTS manager Andrea...
> > > > 
> > > > On 09/21/18 15:41, Paul Millar wrote:
> > > > > On 21/09/18 15:33, Maarten Litmaath wrote:
> > > > > > Hi all,
> > > > > > do you have comments on this matter?
> > > > > Is the "pilot" FTS instance finding SRM storage sites that are not
> > > > > supporting TLS v1.2 because the version of globus-gssapi-gsi was
> > > > > updated on that (those) machine(s)?
> > > yes the new package coming from EPEL-testing was installed on 2 of our FTS
> > > pilot nodes
> > > > > Does this problem affect only FTS, or are clients installed on the
> > > > > WN also affected?
> > > anyone using gfal + srm/gridftp will be affected ( if the the server is not
> > > configured with tls 1.2)
> > > > > Has anyone tested a machine with this against any dCache instances?
> > > i just tried INP3 and it looks ok
> > > 
> > > cheers
> > > Andrea
> > > 
> > > > > For me, the last question is the most pressing.
> > > > > 
> > > > > If the answer is "no" then how can we change this, so dCache
> > > > > instances are being tested?
> > > > > 
> > > > > Cheers,
> > > > > 
> > > > > Paul.
> > > _______________________________________________
> > > Gt-eos mailing list
> > > Gt-eos at mailman.egi.eu
> > > http://mailman.egi.eu/mailman/listinfo/gt-eos
> > 
> > 
> > _______________________________________________
> > Gt-eos mailing list
> > Gt-eos at mailman.egi.eu
> > http://mailman.egi.eu/mailman/listinfo/gt-eos
> 

-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3402 bytes
Desc: not available
URL: <http://mailman.egi.eu/pipermail/gt-eos/attachments/20180921/53661f51/attachment-0001.p7s>


More information about the Gt-eos mailing list