Ok - this change has been released! globus-gssapi-gsi 12.0 is now on globus’ stable repos.
-Stu > On May 4, 2016, at 9:25 AM, Stuart Martin <smar...@mcs.anl.gov> wrote: > > The change will be in package: globus-gssapi-gsi with version greater than or > equal to 12.0 > >> On May 4, 2016, at 9:07 AM, Steven C Timm <t...@fnal.gov >> <mailto:t...@fnal.gov>> wrote: >> >> What has not been clear to me is the following: >> Stuart Martin's E-mail says that new clients will be released but it does >> not say what Globus >> version that those new clients correspond to. How do we tell via the client >> versions which ones >> are enforcing strict mode and which ones are not? Furthermore those of us >> who get the globus clients through other distributions, how do we tell when >> our distribution is starting to use them? >> >> Steve Timm >> >> >> ________________________________________ >> From: gt-user-boun...@lists.globus.org >> <mailto:gt-user-boun...@lists.globus.org> <gt-user-boun...@lists.globus.org >> <mailto:gt-user-boun...@lists.globus.org>> on behalf of Basney, Jim >> <jbas...@illinois.edu <mailto:jbas...@illinois.edu>> >> Sent: Wednesday, May 4, 2016 9:00:54 AM >> To: GT User >> Subject: Re: [gt-user] Globus ³strict mode² coming March 2016 - Action >> Required >> >> Hi, >> >> Did this change happen as planned? Is the transition going OK for everyone? >> >> In my role as CA operator, I know we've been issuing a lot of host certs >> with multiple subjectAltNames in preparation for this transition, so >> hopefully everyone has the certs they need. >> >> -Jim >> >> On 2/4/16, 5:21 PM, Stuart Martin wrote: >>> Hi All, >>> >>> Here is a reminder about this deadline and upcoming change. >>> >>> Admins should check their host certificates and update them if necessary. >>> Replace any incompatible certificates by Mar 1, 2016. >>> >>> To allow a bit of a buffer between the service-side certificate update >>> deadline and clients beginning to use strict mode, updates will be made >>> to the Globus Toolkit to default the client-side algorithm to strict mode >>> on Tuesday, April 5, 2016. >>> >>> - The Globus Team >>> >>>> On Dec 1, 2015, at 2:50 PM, Stuart Martin <smar...@mcs.anl.gov >>>> <mailto:smar...@mcs.anl.gov>> wrote: >>>> >>>> Dear All, >>>> >>>> Globus is planning to change the default client-side algorithm for >>>> checking the server¹s identity used by GridFTP, MyProxy, GSI-OpenSSH, >>>> and GRAM. The new algorithm performs identity matching as described in >>>> section 3.1 of RFC 2818 >>>> (https://tools.ietf.org/html/rfc2818#section-3.1 >>>> <https://tools.ietf.org/html/rfc2818#section-3.1>), the standard >>>> describing TLS use with HTTP. This involves a change in the >>>> globus-gssapi-gsi library, and will apply to any application that uses >>>> the updated library. >>>> >>>> The new ³strict mode² algorithm will be more strict in its enforcement, >>>> checking that the server¹s certificate identity matches the hostname >>>> that the client uses to contact the service. Once clients are >>>> configured for strict mode, client authentication (of any Globus >>>> service) would fail if the service is using a certificate that does not >>>> match the hostname that the client used to contact the service. >>>> >>>> This change will bring our identity checking algorithm in line with RFC >>>> 2818, and will also close the door to reverse DNS lookup related attack >>>> vectors. As an example of why relying on reverse DNS for making security >>>> related decisions is not recommended, see this link: >>>> https://cwe.mitre.org/data/definitions/350.html >>>> <https://cwe.mitre.org/data/definitions/350.html>. >>>> >>>> The Globus team has checked the host certificates used for a number of >>>> GridFTP endpoints and found that many are _not_ RFC 2818 compatible. >>>> These incompatible certificates will need to be replaced prior to >>>> clients defaulting to the new strict mode algorithm. >>>> >>>> We are reaching out to request that Globus service admins check their >>>> host certificates and update them if necessary. We are asking admins to >>>> replace any incompatible certificates by Mar 1, 2016. After March 1, we >>>> will release updated Globus Toolkit components that will change the >>>> default client authorization algorithm to strict mode. At that time, >>>> the Globus.org <http://globus.org/> transfer service will also update its >>>> identity checking >>>> algorithm. This should ensure no service disruptions for the Globus >>>> community. >>>> >>>> Note: Globus Connect Server installations that use the Globus provided >>>> certificate are not affected and do not have to make any changes to >>>> their Globus Connect Server endpoint(s). >>>> >>>> We have created a page where additional details about this change will >>>> be communicated: >>>> https://docs.globus.org/security-bulletins/2015-12-strict-mode/ >>>> <https://docs.globus.org/security-bulletins/2015-12-strict-mode/> >>>> The above page includes common reasons for incompatibilities and how to >>>> check for compatibility. >>>> >>>> If you have any questions or concerns regarding this planned change, >>>> please contact us at supp...@globus.org <mailto:supp...@globus.org>. >>>> >>>> - The Globus team >> >
