[Pgi-wg] TLS : OpenSSL and GSI implementations - gLite 3.2 released today
Aleksandr Konstantinov
aleksandr.konstantinov at fys.uio.no
Fri Mar 27 04:48:49 CDT 2009
On Monday 23 March 2009 15:04, Etienne URBAH wrote:
> To all,
>
> Concerning various implementations of TLS to handle X509 certificates
> and proxies, it seems that :
>
> - DEISA (Unicore) uses the OpenSSL implementation of TLS to process
> X509 certificates,
>
> - EGEE (gLite) and NorduGrid (ARC) use the GSI (Globus Security
> Infrastructure) implementation of TLS to process X509 proxies,
No, ARC uses OpenSSL for TLS data connections and Globus for
GSI connections (SRM and GridFTP).
A.K.
>
> - The OpenSSL and GSI implementations of TLS seem to be INCOMPATIBLE
> (see mails below of Weizhong QIANG and Duane MERRIL).
>
> This would make any interoperability very difficult.
>
>
> But the situation is perhaps NOT so desperate :
>
> - EGEE has just released gLite version 3.2 today 23 March 2009.
>
> - In slide 3 of the presentation 'Middleware update' performed at CERN
> GDB on 11 March 2009 and which is available at
> http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&confId=45473
> Andreas UNTERKIRCHER explains that gLite 3.2 uses VDT 1.10, which
> uses 'system OpenSSL'.
>
>
> ==> Can Andreas UNTERKIRCHER provide more precisions, and confirm that
> this permits interoperability at the X509 level ?
>
> ==> Can the PGI chairs plan an interoperability test ASAP to check if
> this really work ?
>
>
> In hope that the above informations and suggestions are useful.
>
> Best regards.
>
> ----------------------------------
> Etienne URBAH IN2P3 - LAL
> Bat 200 91898 ORSAY France
> Tel: +33 1 64 46 84 87
> Mob: +33 6 22 30 53 27
> Skype: etienne.urbah
> mailto:urbah at lal.in2p3.fr
> ----------------------------------
>
>
> On Mon, 23 Mar 200, Jens Jensen wrote:
> > 2009/3/20 weizhong qiang <weizhongqiang at gmail.com>:
> >> On Fri, Mar 20, 2009 at 3:00 PM, <m.riedel at fz-juelich.de> wrote:
> >> Basically the globus implementation if GSSAPI is about a specific
> >> context-initiation negotiation, and some data-padding for initiation and
> >> data-transferring. Also you can accomplish proxy-delegation via it.
> >> What is for sure is that you can not use client based on normal TLS to talk
> >> with service which is based on GSSAPI, or vice versa.
> >> AFAIK, There is some grid service (WS compliant) such as some SRM service
> >> which uses GSSAPI. (SOAP + HTTP + GSS).
> >
> > Some years since I last looked at it in detail but IIRC GSSAPI (RFC2743) is just
> > a mechanism for establishing security contexts - if you get these
> > bytes then send
> > this, etc. Presumably normal TLS can be implemented via GSSAPI as well, see
> > eg section 5.3 of the RFC
> > Someone once told me Globus had to deviate from the standard GSSAPI
> > to implement GSI. If this is true then it's worth documenting, no?
> > Again long time ago I experimented with the Globus module for GSI and
> > the lower level Globus GSSAPI. At the time they did not interoperate :-)
> > Had some discussions with Aleksandr at the time.
> >
> > Regards
> > --jens
>
>
>
> On Fri, 20 Mar 2009, Duane Merrill wrote:
> > In theory, rfc-3820 proxy certs should not have any effect on TLS wire
> > protocol. For various reasons, different versions of GSI-OpenSSH *have*
> > changed the wire format in different ways. (Shame on them.) Out of
> > curiosity, are there any published/publicly-availabe descriptions of
> > these deltas?
> >
> > Duane
>
More information about the Pgi-wg
mailing list