Hi Jim, Joe started the builds with this change yesterday, but hit an issue, so the stable repo has not yet been updated. We anticipate the stable repo to be updated sometime today. We’ll send email when the update is on stable.
As you know, only after users update their local installs would they have this change. So, that might take some time for users to confirm all is good. -Stu > On May 4, 2016, at 9:00 AM, Basney, Jim <jbas...@illinois.edu> wrote: > > Hi, > > Did this change happen as planned? Is the transition going OK for everyone? > > In my role as CA operator, I know we've been issuing a lot of host certs > with multiple subjectAltNames in preparation for this transition, so > hopefully everyone has the certs they need. > > -Jim > > On 2/4/16, 5:21 PM, Stuart Martin wrote: >> Hi All, >> >> Here is a reminder about this deadline and upcoming change. >> >> Admins should check their host certificates and update them if necessary. >> Replace any incompatible certificates by Mar 1, 2016. >> >> To allow a bit of a buffer between the service-side certificate update >> deadline and clients beginning to use strict mode, updates will be made >> to the Globus Toolkit to default the client-side algorithm to strict mode >> on Tuesday, April 5, 2016. >> >> - The Globus Team >> >>> On Dec 1, 2015, at 2:50 PM, Stuart Martin <smar...@mcs.anl.gov> wrote: >>> >>> Dear All, >>> >>> Globus is planning to change the default client-side algorithm for >>> checking the server¹s identity used by GridFTP, MyProxy, GSI-OpenSSH, >>> and GRAM. The new algorithm performs identity matching as described in >>> section 3.1 of RFC 2818 >>> (https://tools.ietf.org/html/rfc2818#section-3.1 >>> <https://tools.ietf.org/html/rfc2818#section-3.1>), the standard >>> describing TLS use with HTTP. This involves a change in the >>> globus-gssapi-gsi library, and will apply to any application that uses >>> the updated library. >>> >>> The new ³strict mode² algorithm will be more strict in its enforcement, >>> checking that the server¹s certificate identity matches the hostname >>> that the client uses to contact the service. Once clients are >>> configured for strict mode, client authentication (of any Globus >>> service) would fail if the service is using a certificate that does not >>> match the hostname that the client used to contact the service. >>> >>> This change will bring our identity checking algorithm in line with RFC >>> 2818, and will also close the door to reverse DNS lookup related attack >>> vectors. As an example of why relying on reverse DNS for making security >>> related decisions is not recommended, see this link: >>> https://cwe.mitre.org/data/definitions/350.html. >>> >>> The Globus team has checked the host certificates used for a number of >>> GridFTP endpoints and found that many are _not_ RFC 2818 compatible. >>> These incompatible certificates will need to be replaced prior to >>> clients defaulting to the new strict mode algorithm. >>> >>> We are reaching out to request that Globus service admins check their >>> host certificates and update them if necessary. We are asking admins to >>> replace any incompatible certificates by Mar 1, 2016. After March 1, we >>> will release updated Globus Toolkit components that will change the >>> default client authorization algorithm to strict mode. At that time, >>> the Globus.org transfer service will also update its identity checking >>> algorithm. This should ensure no service disruptions for the Globus >>> community. >>> >>> Note: Globus Connect Server installations that use the Globus provided >>> certificate are not affected and do not have to make any changes to >>> their Globus Connect Server endpoint(s). >>> >>> We have created a page where additional details about this change will >>> be communicated: >>> https://docs.globus.org/security-bulletins/2015-12-strict-mode/ >>> The above page includes common reasons for incompatibilities and how to >>> check for compatibility. >>> >>> If you have any questions or concerns regarding this planned change, >>> please contact us at supp...@globus.org. >>> >>> - The Globus team
