Hi All, April 2 is only 6 days away. Everyone has had time to upgrade their GT installations in order to avoid any incompatibilities when services are configured to disallow SSLv3. Starting Thursday, April 2, go ahead and make the change to prevent the use of SSLv3. This can be done by setting the environment variable “GLOBUS_GSSAPI_FORCE_TLS” before starting any of the GT services: GridFTP, GRAM (gatekeeper), MyProxy, GSISSH. Please see the service admin guides for details - http://toolkit.globus.org/toolkit/docs/latest-stable/
If after making the change you see errors coming from the services like this: ———————————————————————— 530-globus_xio: Authentication Error 530-globus_gsi_gssapi: Unable to verify remote side's credentials 530-globus_gsi_gssapi: SSLv3 handshake problems: Couldn't do ssl handshake 530-OpenSSL Error: s3_srvr.c:965: in library: SSL routines, function SSL3_GET_CLIENT_HELLO: wrong version number 530 End. ———————————————————————— That would indicate that some users are still using an old/incompatible version of the client. Hopefully, there will be very few issues, since we have given everyone a good amount of time to prepare. Cheers, Stu On Dec 8, 2014, at Dec 8, 11:30 AM, Stuart Martin <[email protected]> wrote: > Hi All, > > Here is an update on the first milestone for upgrading GRAM and MyProxy > client installations to be TLS-compatible prior to any GRAM and MyProxy > services being configured to be TLS-only. > > Due to concerns shared from some organizations that they may not be able to > get their clients updated before Jan 1, 2015, we are now recommending all > users to delay configuring their Globus Toolkit services to be TLS-only until > after *April 1, 2015*. > > Prior to this April 1 deadline, we recommend all client installations upgrade > the GRAM and MyProxy clients to (at least) the following version numbers. > These add support for TLS to those components: > > GT 6.0 GRAM TLS package: globus_gram_client-13.11 > GT 6.0 MyProxy TLS package: myproxy-6.1.8 > > GT 5.2 GRAM TLS package: globus_gram_client-12.5 > GT 5.2 MyProxy TLS package: None** > > ** There are no plans to create a GT 5.2 MyProxy client update package, a > MyProxy client installation will have to be 6.0 to be fully compatible with a > TLS-only MyProxy service. > > For Mac and Windows client installations, we will make available a new set of > GT 6.0 installers that contain the GRAM and MyProxy client updates. These > will be coming soon. > > Let us know if you have any questions. > > -Globus Dev Team > > On Oct 21, 2014, at Oct 21, 1:54 PM, Stuart Martin <[email protected]> > wrote: > >> Hi All, >> >> Due to the recently announced POODLE issue >> (https://support.globus.org/entries/101814643), we are planning to disable >> SSLv3 support in Globus Toolkit components. All users maintaining GT >> installations older than 5.2 will need to upgrade to remain compatible with >> GT services that disable SSLv3 by July 1, 2015. >> >> There is no immediate threat, so we can proceed with a priority on limiting >> the impact of incompatibility for end users. >> >> (Now) The Globus team’s recommendation is for the entire ecosystem to >> upgrade to a supported release, either GT 6.0 or 5.2, both of which support >> TLS. This will allow a transition period where clients and services will be >> able to communicate with either TLS or SSLv3, with newer clients and >> services choosing TLS by default. We DO NOT recommend disabling SSLv3 for >> ANY installations during this transition time as it will cause >> incompatibility with older clients and services that haven’t completed the >> transition. >> >> On January 1, 2015, we will begin the transition to configure Globus Toolkit >> clients and services as TLS-only by disabling SSLv3. We will provide >> documentation on how to update services to do so. >> >> On July 1, 2015, we will update our security packages to disable SSLv3 and >> require TLS for all secure communication. >> >> Note: Maintainers of non-GT clients and servers that are part of a >> community’s ecosystem should ensure their software can operate in the >> upcoming TLS-only environment. >> >> Note: We will provide an update to the GRAM client remove use of SSLv3 prior >> to the transition period. >> >> -Globus Dev Team >
