Hi,
The instructions here say if you're using Globus-provided certs, you
aren't affected. Does that include simple-CA certs? If so, are we still
OK even if we see the "not ok" string at the end of
grid-cert-diagnostics? I'm seeing the following and want to know if I
can ignore this or not as it's Globus-provided:
Checking subjectAltName extensions... no
Verifying certificate chain... failed
globus_credential: Error verifying credential: Failed to verify credential
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Error with signing policy
globus_gsi_callback_module: Error in OLD GAA code: The subject of the certificate
"/C=US/O=Globus Consortium/CN=Globus Connect CA" does not match the signing
policies defined in /etc/grid-security/certificates/7a42187f.signing_policy
Performing name comparison... not ok
Thanks,
Cameron
On 05/04/2016 07:25 AM, Stuart Martin wrote:
The change will be in package: globus-gssapi-gsi with version greater
than or equal to 12.0
On May 4, 2016, at 9:07 AM, Steven C Timm <t...@fnal.gov
<mailto:t...@fnal.gov>> wrote:
What has not been clear to me is the following:
Stuart Martin's E-mail says that new clients will be released but it
does not say what Globus
version that those new clients correspond to. How do we tell via the
client versions which ones
are enforcing strict mode and which ones are not? Furthermore those
of us who get the globus clients through other distributions, how do
we tell when our distribution is starting to use them?
Steve Timm
________________________________________
From: gt-user-boun...@lists.globus.org
<mailto:gt-user-boun...@lists.globus.org>
<gt-user-boun...@lists.globus.org
<mailto:gt-user-boun...@lists.globus.org>> on behalf of Basney, Jim
<jbas...@illinois.edu <mailto:jbas...@illinois.edu>>
Sent: Wednesday, May 4, 2016 9:00:54 AM
To: GT User
Subject: Re: [gt-user] Globus ³strict mode² coming March 2016 -
Action Required
Hi,
Did this change happen as planned? Is the transition going OK for
everyone?
In my role as CA operator, I know we've been issuing a lot of host certs
with multiple subjectAltNames in preparation for this transition, so
hopefully everyone has the certs they need.
-Jim
On 2/4/16, 5:21 PM, Stuart Martin wrote:
Hi All,
Here is a reminder about this deadline and upcoming change.
Admins should check their host certificates and update them if
necessary.
Replace any incompatible certificates by Mar 1, 2016.
To allow a bit of a buffer between the service-side certificate update
deadline and clients beginning to use strict mode, updates will be made
to the Globus Toolkit to default the client-side algorithm to strict
mode
on Tuesday, April 5, 2016.
- The Globus Team
On Dec 1, 2015, at 2:50 PM, Stuart Martin <smar...@mcs.anl.gov
<mailto:smar...@mcs.anl.gov>> wrote:
Dear All,
Globus is planning to change the default client-side algorithm for
checking the server¹s identity used by GridFTP, MyProxy, GSI-OpenSSH,
and GRAM. The new algorithm performs identity matching as described in
section 3.1 of RFC 2818
(https://tools.ietf.org/html/rfc2818#section-3.1), the standard
describing TLS use with HTTP. This involves a change in the
globus-gssapi-gsi library, and will apply to any application that uses
the updated library.
The new ³strict mode² algorithm will be more strict in its enforcement,
checking that the server¹s certificate identity matches the hostname
that the client uses to contact the service. Once clients are
configured for strict mode, client authentication (of any Globus
service) would fail if the service is using a certificate that does not
match the hostname that the client used to contact the service.
This change will bring our identity checking algorithm in line with RFC
2818, and will also close the door to reverse DNS lookup related attack
vectors. As an example of why relying on reverse DNS for making
security
related decisions is not recommended, see this link:
https://cwe.mitre.org/data/definitions/350.html.
The Globus team has checked the host certificates used for a number of
GridFTP endpoints and found that many are _not_ RFC 2818 compatible.
These incompatible certificates will need to be replaced prior to
clients defaulting to the new strict mode algorithm.
We are reaching out to request that Globus service admins check their
host certificates and update them if necessary. We are asking
admins to
replace any incompatible certificates by Mar 1, 2016. After March
1, we
will release updated Globus Toolkit components that will change the
default client authorization algorithm to strict mode. At that time,
the Globus.org
<http://secure-web.cisco.com/1CCWzya20RlAyAnWodonVq7GRuMGLiFiEkD5o0k2yX0mpK2s6kdNCTk8KkFJUemnkopGfriihYembpZRsQNLJ0AvyZouQiHv9UHW6S5BMbEbbwKA1dPFKxeMaMROveQCQucNLaAUlXO19u6HO4Y5VrOM-7wc3bE15ZkgEt6b99eXlWeHI-AmBXrWL8jvNsRxTN8SRkl3SS4-cdhSRn34Sz4XGA8aZ5b33JXjN_rc_TOaG4d3VabyWRbj9jfHAqYdQW0MP5S3xDPjXHUokSWxYXZfiU3eKCXA4DPtdFUqYtLUWDQaoUpJjOgXFAOKtggWo0JPuz76VgiP4WtUZSjBeHX8pOMxWfFWqk50_oUKstd8/http%3A%2F%2Fglobus.org>
transfer service will also update its identity checking
algorithm. This should ensure no service disruptions for the Globus
community.
Note: Globus Connect Server installations that use the Globus provided
certificate are not affected and do not have to make any changes to
their Globus Connect Server endpoint(s).
We have created a page where additional details about this change will
be communicated:
https://docs.globus.org/security-bulletins/2015-12-strict-mode/
<https://secure-web.cisco.com/1bjBzv-ex3os8T9Ug5PhEDxWa6pGEAP32mYnqSSujsdtn-z6CZWQXo_yEsisVAkjX9fcjMNkYFCIszpPyZ2eq2AdQ195h8OBxkFkI2TNvJ7OULkl3YjX1BhIKteDjGAcLTLz0qCxErv6VHYhJ10WoMh3omD6r29JlcaSjJ91Qcz-aG-DSR0z69dwq6hWhjHpIvuvt5FplFEYdbHQoTbVriOs2YO2FOGzjVe-5SQ0GVpVLwch7I7yi1hOSFgLF-iO6BRIEADK20YV0K5bu8pme8Oc108nkI2MOn2byy1WBVkmkuISdOtV6SdZt7jUPL7ayevcB_cG6X1NhRORPCuUk1Y6NZzW2P-0kBi0raq-UJkQIZjOlAZD3eEhTQn8r3V5W/https%3A%2F%2Fdocs.globus.org%2Fsecurity-bulletins%2F2015-12-strict-mode%2F>
The above page includes common reasons for incompatibilities and how to
check for compatibility.
If you have any questions or concerns regarding this planned change,
please contact us at supp...@globus.org <mailto:supp...@globus.org>.
- The Globus team