The change will be in package: globus-gssapi-gsi with version greater than or equal to 12.0
> On May 4, 2016, at 9:07 AM, Steven C Timm <[email protected]> wrote: > > What has not been clear to me is the following: > Stuart Martin's E-mail says that new clients will be released but it does > not say what Globus > version that those new clients correspond to. How do we tell via the client > versions which ones > are enforcing strict mode and which ones are not? Furthermore those of us > who get the globus clients through other distributions, how do we tell when > our distribution is starting to use them? > > Steve Timm > > > ________________________________________ > From: [email protected] <[email protected]> on > behalf of Basney, Jim <[email protected]> > Sent: Wednesday, May 4, 2016 9:00:54 AM > To: GT User > Subject: Re: [gt-user] Globus ³strict mode² coming March 2016 - Action > Required > > Hi, > > Did this change happen as planned? Is the transition going OK for everyone? > > In my role as CA operator, I know we've been issuing a lot of host certs > with multiple subjectAltNames in preparation for this transition, so > hopefully everyone has the certs they need. > > -Jim > > On 2/4/16, 5:21 PM, Stuart Martin wrote: >> Hi All, >> >> Here is a reminder about this deadline and upcoming change. >> >> Admins should check their host certificates and update them if necessary. >> Replace any incompatible certificates by Mar 1, 2016. >> >> To allow a bit of a buffer between the service-side certificate update >> deadline and clients beginning to use strict mode, updates will be made >> to the Globus Toolkit to default the client-side algorithm to strict mode >> on Tuesday, April 5, 2016. >> >> - The Globus Team >> >>> On Dec 1, 2015, at 2:50 PM, Stuart Martin <[email protected]> wrote: >>> >>> Dear All, >>> >>> Globus is planning to change the default client-side algorithm for >>> checking the server¹s identity used by GridFTP, MyProxy, GSI-OpenSSH, >>> and GRAM. The new algorithm performs identity matching as described in >>> section 3.1 of RFC 2818 >>> (https://tools.ietf.org/html/rfc2818#section-3.1), the standard >>> describing TLS use with HTTP. This involves a change in the >>> globus-gssapi-gsi library, and will apply to any application that uses >>> the updated library. >>> >>> The new ³strict mode² algorithm will be more strict in its enforcement, >>> checking that the server¹s certificate identity matches the hostname >>> that the client uses to contact the service. Once clients are >>> configured for strict mode, client authentication (of any Globus >>> service) would fail if the service is using a certificate that does not >>> match the hostname that the client used to contact the service. >>> >>> This change will bring our identity checking algorithm in line with RFC >>> 2818, and will also close the door to reverse DNS lookup related attack >>> vectors. As an example of why relying on reverse DNS for making security >>> related decisions is not recommended, see this link: >>> https://cwe.mitre.org/data/definitions/350.html. >>> >>> The Globus team has checked the host certificates used for a number of >>> GridFTP endpoints and found that many are _not_ RFC 2818 compatible. >>> These incompatible certificates will need to be replaced prior to >>> clients defaulting to the new strict mode algorithm. >>> >>> We are reaching out to request that Globus service admins check their >>> host certificates and update them if necessary. We are asking admins to >>> replace any incompatible certificates by Mar 1, 2016. After March 1, we >>> will release updated Globus Toolkit components that will change the >>> default client authorization algorithm to strict mode. At that time, >>> the Globus.org transfer service will also update its identity checking >>> algorithm. This should ensure no service disruptions for the Globus >>> community. >>> >>> Note: Globus Connect Server installations that use the Globus provided >>> certificate are not affected and do not have to make any changes to >>> their Globus Connect Server endpoint(s). >>> >>> We have created a page where additional details about this change will >>> be communicated: >>> https://docs.globus.org/security-bulletins/2015-12-strict-mode/ >>> The above page includes common reasons for incompatibilities and how to >>> check for compatibility. >>> >>> If you have any questions or concerns regarding this planned change, >>> please contact us at [email protected]. >>> >>> - The Globus team >
