Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS v1.3 #150

Merged
merged 18 commits into from
Mar 25, 2021
Merged

TLS v1.3 #150

merged 18 commits into from
Mar 25, 2021

Conversation

ellert
Copy link
Member

@ellert ellert commented Mar 25, 2021
edited by fscheiner
Loading

Make GCT compatible with TLS v1.3.

With this change I was able to rebuild all other GCT packages without changes aigainst the updated globus-gssapi-gsi that enables TLS v1.3. That is all the unit tests that are run during the package build succeeded with TLS v1.3.

Fixes #43 (added for linkage) on issues page

ellert added 18 commits September 13, 2020 05:40
@ellert
Remove trailing whitespace
7f468e3 
Convert tabs to spaces
@ellert
Allow TLS v1.3
dd6ad94
@ellert
No NULL ciphers in TLS v1.3
11c0a91
@ellert
Add missing config option to list
b2e6edd
@ellert
Remove confusing double parentheses
cd99295
@ellert
Add parentheses for consistency
843fe51
@ellert
Harmonize the debug messages for init() and accept()
d050553 
This makes debugging slightly easier
@ellert
Update and fix some typos in comments
1596b3a
@ellert
Remove commented-out code
6e14927
@ellert
Use consistent check for SSL v2 backward compatible hello
1d0d02d
@ellert
Add missing goto on error
77f3aed
@ellert
Add comment (for consistency)
3abc3e8 
Correct old cut-and-paste errors
@ellert
TLS v1.3 sends 2 session tokens after the handshake is completed
4e76b43 
We need to recieve them before continuing with the GSI proxy
@ellert
Fix some compiler warnings
13851d8
@ellert
Fix some compiler warnings
9f843de
@ellert
Version and packaging update for globus-gssapi-gsi
b275cec 
Compatibility with TLS v1.3
@ellert
Remove trailing whitespace
f44f7be 
Convert tabs to spaces
Add and remove spaces for readability
@ellert
Version and packaging update for globus-gss-assist
06b0692 
Minor bug fixes and code maintenance
@ellert ellert mentioned this pull request Mar 25, 2021
Closed
@fscheiner
Copy link
Member

Just to be sure: If we merge #146 and/or #149 before this one, do you need to rebase this one? If yes, I'd prefer to merge this one here first.

@ellert
Copy link
Member Author

ellert commented Mar 25, 2021

Just to be sure: If we merge #146 and/or #149 before this one, do you need to rebase this one? If yes, I'd prefer to merge this one here first.

There are no conflicts with #146. There is one common file with #149, but the changes are far apart, so either being merged before the other should not cause conflicts. No need for rebase.

fscheiner
fscheiner approved these changes Mar 25, 2021
View reviewed changes
Copy link
Member

@fscheiner fscheiner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As per #150 (comment) @ellert has confirmed that this works, so let's merge this and close our second oldest open issue and make the GCT fit for the future.

Maybe these changes also justify a new release, what do you think?

@maarten-litmaath
Copy link

Hi guys,
this is great news: congratulations & thanks very much!

However, we will need to be careful with releasing the new code,
as it has not been tested against production services, particularly
those that have their own GSI stack, like dCache and XRootD.

I think we need to keep the maximum TLS version at 1.2 by default,
so that things will keep working as before, and then we can ask for
v1.3 to be tried by various teams, e.g. the FTS devs.

What do you think?

@ellert
Copy link
Member Author

ellert commented Mar 25, 2021

It obviously needs to be tested against other implementations.
Note that TLS 1.3 requires openssl 1.1.
The default version of openssl in RHEL/CentOS 7 is openssl 1.0, so any installation running on that will be limited to TLS 1.2 anyway.
Whether we should set the default higher version to 1.2 can be decided later based on what testing we manage to do before the next release. This just means changing a line in gsi.conf - no changes needed to the code.

@ellert ellert merged commit f8ccd90 into gridcf:master Mar 25, 2021
@maarten-litmaath
Copy link

Excellent, thanks!

@ellert ellert deleted the tls-v1.3 branch March 25, 2021 18:14
@chrisburr chrisburr mentioned this pull request May 18, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fscheiner fscheiner fscheiner approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

globus-gssapi-gsi and TLS 1.3
3 participants
@ellert @fscheiner @maarten-litmaath