[gt-user] [gt-dev] Migrating GT services to TLS-only
smartin at mcs.anl.gov
Fri Mar 27 15:15:46 CDT 2015
April 2 is only 6 days away. Everyone has had time to upgrade their GT installations in order to avoid any incompatibilities when services are configured to disallow SSLv3. Starting Thursday, April 2, go ahead and make the change to prevent the use of SSLv3. This can be done by setting the environment variable “GLOBUS_GSSAPI_FORCE_TLS” before starting any of the GT services: GridFTP, GRAM (gatekeeper), MyProxy, GSISSH. Please see the service admin guides for details - http://toolkit.globus.org/toolkit/docs/latest-stable/
If after making the change you see errors coming from the services like this:
530-globus_xio: Authentication Error
530-globus_gsi_gssapi: Unable to verify remote side's credentials
530-globus_gsi_gssapi: SSLv3 handshake problems: Couldn't do ssl handshake
530-OpenSSL Error: s3_srvr.c:965: in library: SSL routines, function
SSL3_GET_CLIENT_HELLO: wrong version number
That would indicate that some users are still using an old/incompatible version of the client.
Hopefully, there will be very few issues, since we have given everyone a good amount of time to prepare.
On Dec 8, 2014, at Dec 8, 11:30 AM, Stuart Martin <smartin at mcs.anl.gov> wrote:
> Hi All,
> Here is an update on the first milestone for upgrading GRAM and MyProxy client installations to be TLS-compatible prior to any GRAM and MyProxy services being configured to be TLS-only.
> Due to concerns shared from some organizations that they may not be able to get their clients updated before Jan 1, 2015, we are now recommending all users to delay configuring their Globus Toolkit services to be TLS-only until after *April 1, 2015*.
> Prior to this April 1 deadline, we recommend all client installations upgrade the GRAM and MyProxy clients to (at least) the following version numbers. These add support for TLS to those components:
> GT 6.0 GRAM TLS package: globus_gram_client-13.11
> GT 6.0 MyProxy TLS package: myproxy-6.1.8
> GT 5.2 GRAM TLS package: globus_gram_client-12.5
> GT 5.2 MyProxy TLS package: None**
> ** There are no plans to create a GT 5.2 MyProxy client update package, a MyProxy client installation will have to be 6.0 to be fully compatible with a TLS-only MyProxy service.
> For Mac and Windows client installations, we will make available a new set of GT 6.0 installers that contain the GRAM and MyProxy client updates. These will be coming soon.
> Let us know if you have any questions.
> -Globus Dev Team
> On Oct 21, 2014, at Oct 21, 1:54 PM, Stuart Martin <smartin at mcs.anl.gov> wrote:
>> Hi All,
>> Due to the recently announced POODLE issue (https://support.globus.org/entries/101814643), we are planning to disable SSLv3 support in Globus Toolkit components. All users maintaining GT installations older than 5.2 will need to upgrade to remain compatible with GT services that disable SSLv3 by July 1, 2015.
>> There is no immediate threat, so we can proceed with a priority on limiting the impact of incompatibility for end users.
>> (Now) The Globus team’s recommendation is for the entire ecosystem to upgrade to a supported release, either GT 6.0 or 5.2, both of which support TLS. This will allow a transition period where clients and services will be able to communicate with either TLS or SSLv3, with newer clients and services choosing TLS by default. We DO NOT recommend disabling SSLv3 for ANY installations during this transition time as it will cause incompatibility with older clients and services that haven’t completed the transition.
>> On January 1, 2015, we will begin the transition to configure Globus Toolkit clients and services as TLS-only by disabling SSLv3. We will provide documentation on how to update services to do so.
>> On July 1, 2015, we will update our security packages to disable SSLv3 and require TLS for all secure communication.
>> Note: Maintainers of non-GT clients and servers that are part of a community’s ecosystem should ensure their software can operate in the upcoming TLS-only environment.
>> Note: We will provide an update to the GRAM client remove use of SSLv3 prior to the transition period.
>> -Globus Dev Team
More information about the gt-user