[Gt-eos] Fwd: New globus-gssapi-gsi version default to TLSv1.2
andrea
andrea.manzi at cern.ch
Fri Sep 21 16:52:42 CEST 2018
this is the commit which moved the min default to 1.2
https://github.com/globus/globus-toolkit/commit/afcff49e41e7f64edd87f0eec19a903c4eae2c9f
we are doing some tests and i can see that we have problems mainly with
Bestman2 SRMs at the moment
I think that given the situation it would be good for now to unpush the
package from EPEL if possible
and give us time to fix all endpoints which are not yet working with tls 1.2
Mattias would this be possible?
thanks
Andrea
Il 21.09.18 16:44, Mischa Salle ha scritto:
> Right, but looking at
> https://github.com/globus/globus-toolkit/pull/124/commits/cef835a5f85537f45f4e00ae92a040d3e66f0570
> it says
> globus_i_gsi_gssapi_max_tls_protocol = TLS1_2_VERSION;
> while the line above
> globus_i_gsi_gssapi_min_tls_protocol = TLS1_VERSION;
> hasn't changed. So it's unclear to me how you get now the 1.2 ?!
> In any case, I think Mattias probably knows better what's going on.
> See also https://github.com/globus/globus-toolkit/pull/124
>
> Cheers,
> Mischa
>
>
>
> On Fri, Sep 21, 2018 at 04:35:34PM +0200, andrea wrote:
>> Hi Misha,
>>
>> with the latest version of the package, now also minimum version of TLS has
>> been set to 1.2
>>
>> cheers
>>
>> Andrea
>>
>>
>> Il 21.09.18 16:32, Mischa Salle ha scritto:
>>> Hi all,
>>>
>>> I'm a bit confused about this. AFAIK Mattias Ellert has set the
>>> *maximum* TLS version to 1.2 since it fails with the new TLS 1.3
>>> which has been introduced with OpenSSL 1.1.1. But that should not
>>> normally set the *default* version to 1.2? Not entirely sure whether
>>> this is the same issue.
>>> I'm including him directly in CC to attract attention...
>>>
>>> Cheers,
>>> Mischa
>>>
>>> On Fri, Sep 21, 2018 at 04:04:55PM +0200, andrea wrote:
>>>> Hi Paul
>>>>
>>>>
>>>> Il 21.09.18 15:58, Maarten Litmaath ha scritto:
>>>>> CC FTS manager Andrea...
>>>>>
>>>>> On 09/21/18 15:41, Paul Millar wrote:
>>>>>> On 21/09/18 15:33, Maarten Litmaath wrote:
>>>>>>> Hi all,
>>>>>>> do you have comments on this matter?
>>>>>> Is the "pilot" FTS instance finding SRM storage sites that are not
>>>>>> supporting TLS v1.2 because the version of globus-gssapi-gsi was
>>>>>> updated on that (those) machine(s)?
>>>> yes the new package coming from EPEL-testing was installed on 2 of our FTS
>>>> pilot nodes
>>>>>> Does this problem affect only FTS, or are clients installed on the
>>>>>> WN also affected?
>>>> anyone using gfal + srm/gridftp will be affected ( if the the server is not
>>>> configured with tls 1.2)
>>>>>> Has anyone tested a machine with this against any dCache instances?
>>>> i just tried INP3 and it looks ok
>>>>
>>>> cheers
>>>> Andrea
>>>>
>>>>>> For me, the last question is the most pressing.
>>>>>>
>>>>>> If the answer is "no" then how can we change this, so dCache
>>>>>> instances are being tested?
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Paul.
>>>> _______________________________________________
>>>> Gt-eos mailing list
>>>> Gt-eos at mailman.egi.eu
>>>> http://mailman.egi.eu/mailman/listinfo/gt-eos
>>>
>>> _______________________________________________
>>> Gt-eos mailing list
>>> Gt-eos at mailman.egi.eu
>>> http://mailman.egi.eu/mailman/listinfo/gt-eos
More information about the Gt-eos
mailing list