[Pgi-wg] TLS : OpenSSL and GSI implementations - gLite 3.2released today
Vincenzo Ciaschini
vincenzo.ciaschini at cnaf.infn.it
Fri Mar 27 06:51:05 CDT 2009
Morris Riedel wrote:
>
> OpenSSL Proxy-based TLSs are different from GSI-Proxy-based TLSs – as
> far as I understood from my interop experiences and from our conversations.
Actually, they are the same. You are thinking about legacy proxies,
which are indeed different. However, from GT4 onward, RFC proxies
(OpenSSL) proxies, are supported.
Ciao,
Vincenzo
>
>
>
> I thought this has unfortunately not changed yet?
>
>
>
> Take care,
>
> Morris
>
>
>
> ------------------------------------------------------------
>
> Morris Riedel
>
> SW - Engineer
>
> Distributed Systems and Grid Computing Division
>
> Jülich Supercomputing Centre (JSC)
>
> Forschungszentrum Juelich
>
> Wilhelm-Johnen-Str. 1
>
> D - 52425 Juelich
>
> Germany
>
>
>
> Email: m.riedel at fz-juelich.de
>
> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
>
> Phone: +49 2461 61 - 3651
>
> Fax: +49 2461 61 - 6656
>
>
>
> Skype: MorrisRiedel
>
>
>
> "We work to better ourselves, and the rest of humanity"
>
>
>
> Sitz der Gesellschaft: Jülich
>
> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
>
> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
>
> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
>
> Dr. Ulrich Krafft (stellv. Vorsitzender)
>
>
>
> *From:* weizhong qiang [mailto:weizhongqiang at gmail.com]
> *Sent:* Friday, March 27, 2009 11:01 AM
> *To:* Morris Riedel
> *Cc:* Aleksandr Konstantinov; pgi-wg at ogf.org
> *Subject:* Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite
> 3.2released today
>
>
>
>
>
> 2009/3/27 Morris Riedel <m.riedel at fz-juelich.de
> <mailto:m.riedel at fz-juelich.de>>
>
> Ok,
>
> and that's why we have to support both in our profiles I guess - correct?!
>
>
> It depends what is the definition of the "both" here.
>
> Weizhong
>
>
>
>
>
> Take care,
> Morris
>
> ------------------------------------------------------------
> Morris Riedel
> SW - Engineer
> Distributed Systems and Grid Computing Division
> Jülich Supercomputing Centre (JSC)
> Forschungszentrum Juelich
> Wilhelm-Johnen-Str. 1
> D - 52425 Juelich
> Germany
>
> Email: m.riedel at fz-juelich.de <mailto:m.riedel at fz-juelich.de>
> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
> Phone: +49 2461 61 - 3651
> Fax: +49 2461 61 - 6656
>
> Skype: MorrisRiedel
>
> "We work to better ourselves, and the rest of humanity"
>
> Sitz der Gesellschaft: Jülich
> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
> Dr. Ulrich Krafft (stellv. Vorsitzender)
>
>
> >------Original Message-----
> >-From: pgi-wg-bounces at ogf.org <mailto:pgi-wg-bounces at ogf.org>
> [mailto:pgi-wg-bounces at ogf.org <mailto:pgi-wg-bounces at ogf.org>] On
> Behalf Of
> >-Aleksandr Konstantinov
> >-Sent: Friday, March 27, 2009 10:49 AM
> >-To: pgi-wg at ogf.org <mailto:pgi-wg at ogf.org>
> >-Subject: Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite
> 3.2released
> >-today
> >-
>
> >-On Monday 23 March 2009 15:04, Etienne URBAH wrote:
> >-> To all,
> >->
> >-> Concerning various implementations of TLS to handle X509 certificates
> >-> and proxies, it seems that :
> >->
> >-> - DEISA (Unicore) uses the OpenSSL implementation of TLS to process
> >-> X509 certificates,
> >->
> >-> - EGEE (gLite) and NorduGrid (ARC) use the GSI (Globus Security
> >-> Infrastructure) implementation of TLS to process X509 proxies,
> >-
> >-No, ARC uses OpenSSL for TLS data connections and Globus for
> >-GSI connections (SRM and GridFTP).
> >-
> >-
> >-A.K.
> >-
> >-
> >->
> >-> - The OpenSSL and GSI implementations of TLS seem to be INCOMPATIBLE
> >-> (see mails below of Weizhong QIANG and Duane MERRIL).
> >->
> >-> This would make any interoperability very difficult.
> >->
> >->
> >-> But the situation is perhaps NOT so desperate :
> >->
> >-> - EGEE has just released gLite version 3.2 today 23 March 2009.
> >->
> >-> - In slide 3 of the presentation 'Middleware update' performed
> at CERN
> >-> GDB on 11 March 2009 and which is available at
> >->
> >-http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&c
> onfId=4
> <http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&c%0AonfId=4>
>
> >-5473
> >-> Andreas UNTERKIRCHER explains that gLite 3.2 uses VDT 1.10, which
>
> >-> uses 'system OpenSSL'.
> >->
> >->
> >-> ==> Can Andreas UNTERKIRCHER provide more precisions, and
> confirm that
> >-> this permits interoperability at the X509 level ?
> >->
> >-> ==> Can the PGI chairs plan an interoperability test ASAP to
> check if
> >-> this really work ?
> >->
> >->
> >-> In hope that the above informations and suggestions are useful.
> >->
> >-> Best regards.
> >->
> >-> ----------------------------------
> >-> Etienne URBAH IN2P3 - LAL
> >-> Bat 200 91898 ORSAY France
> >-> Tel: +33 1 64 46 84 87
> >-> Mob: +33 6 22 30 53 27
> >-> Skype: etienne.urbah
> >-> mailto:urbah at lal.in2p3.fr <mailto:urbah at lal.in2p3.fr>
> >-> ----------------------------------
> >->
> >->
> >-> On Mon, 23 Mar 200, Jens Jensen wrote:
> >-> > 2009/3/20 weizhong qiang <weizhongqiang at gmail.com
> <mailto:weizhongqiang at gmail.com>>:
> >-> >> On Fri, Mar 20, 2009 at 3:00 PM, <m.riedel at fz-juelich.de
> <mailto:m.riedel at fz-juelich.de>> wrote:
> >-> >> Basically the globus implementation if GSSAPI is about a specific
> >-> >> context-initiation negotiation, and some data-padding for
> initiation
> and
> >-> >> data-transferring. Also you can accomplish proxy-delegation
> via it.
> >-> >> What is for sure is that you can not use client based on
> normal TLS
> to talk
> >-> >> with service which is based on GSSAPI, or vice versa.
> >-> >> AFAIK, There is some grid service (WS compliant) such as some SRM
> service
> >-> >> which uses GSSAPI. (SOAP + HTTP + GSS).
> >-> >
> >-> > Some years since I last looked at it in detail but IIRC GSSAPI
> (RFC2743) is just
> >-> > a mechanism for establishing security contexts - if you get these
> >-> > bytes then send
> >-> > this, etc. Presumably normal TLS can be implemented via GSSAPI as
> well, see
> >-> > eg section 5.3 of the RFC
> >-> > Someone once told me Globus had to deviate from the standard GSSAPI
> >-> > to implement GSI. If this is true then it's worth documenting, no?
> >-> > Again long time ago I experimented with the Globus module for
> GSI and
> >-> > the lower level Globus GSSAPI. At the time they did not
> interoperate
> :-)
> >-> > Had some discussions with Aleksandr at the time.
> >-> >
> >-> > Regards
> >-> > --jens
> >->
> >->
> >->
> >-> On Fri, 20 Mar 2009, Duane Merrill wrote:
> >-> > In theory, rfc-3820 proxy certs should not have any effect on
> TLS wire
> >-> > protocol. For various reasons, different versions of GSI-OpenSSH
> *have*
> >-> > changed the wire format in different ways. (Shame on them.) Out of
> >-> > curiosity, are there any published/publicly-availabe
> descriptions of
> >-> > these deltas?
> >-> >
> >-> > Duane
> >->
> >-_______________________________________________
> >-Pgi-wg mailing list
> >-Pgi-wg at ogf.org <mailto:Pgi-wg at ogf.org>
> >-http://www.ogf.org/mailman/listinfo/pgi-wg
>
>
> _______________________________________________
> Pgi-wg mailing list
> Pgi-wg at ogf.org <mailto:Pgi-wg at ogf.org>
> http://www.ogf.org/mailman/listinfo/pgi-wg
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pgi-wg mailing list
> Pgi-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/pgi-wg
More information about the Pgi-wg
mailing list