[Pgi-wg] TLS : OpenSSL and GSI implementations - gLite 3.2released today
Aleksandr Konstantinov
aleksandr.konstantinov at fys.uio.no
Fri Mar 27 07:34:23 CDT 2009
On Friday 27 March 2009 13:49, you wrote:
> Morris Riedel wrote:
> >
> > OpenSSL Proxy-based TLSs are different from GSI-Proxy-based TLSs – as
> > far as I understood from my interop experiences and from our conversations.
> Actually, they are the same. You are thinking about legacy proxies,
> which are indeed different. However, from GT4 onward, RFC proxies
> (OpenSSL) proxies, are supported.
I think it was about wire protocol and not about proxies. AFAIK many of us have learned
from own experience that those are incompatible. At least as implemented by Globus.
A.K.
>
> Ciao,
> Vincenzo
> >
> >
> >
> > I thought this has unfortunately not changed yet?
> >
> >
> >
> > Take care,
> >
> > Morris
> >
> >
> >
> > ------------------------------------------------------------
> >
> > Morris Riedel
> >
> > SW - Engineer
> >
> > Distributed Systems and Grid Computing Division
> >
> > Jülich Supercomputing Centre (JSC)
> >
> > Forschungszentrum Juelich
> >
> > Wilhelm-Johnen-Str. 1
> >
> > D - 52425 Juelich
> >
> > Germany
> >
> >
> >
> > Email: m.riedel at fz-juelich.de
> >
> > Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
> >
> > Phone: +49 2461 61 - 3651
> >
> > Fax: +49 2461 61 - 6656
> >
> >
> >
> > Skype: MorrisRiedel
> >
> >
> >
> > "We work to better ourselves, and the rest of humanity"
> >
> >
> >
> > Sitz der Gesellschaft: Jülich
> >
> > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> >
> > Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
> >
> > Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
> >
> > Dr. Ulrich Krafft (stellv. Vorsitzender)
> >
> >
> >
> > *From:* weizhong qiang [mailto:weizhongqiang at gmail.com]
> > *Sent:* Friday, March 27, 2009 11:01 AM
> > *To:* Morris Riedel
> > *Cc:* Aleksandr Konstantinov; pgi-wg at ogf.org
> > *Subject:* Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite
> > 3.2released today
> >
> >
> >
> >
> >
> > 2009/3/27 Morris Riedel <m.riedel at fz-juelich.de
> > <mailto:m.riedel at fz-juelich.de>>
> >
> > Ok,
> >
> > and that's why we have to support both in our profiles I guess - correct?!
> >
> >
> > It depends what is the definition of the "both" here.
> >
> > Weizhong
> >
> >
> >
> >
> >
> > Take care,
> > Morris
> >
> > ------------------------------------------------------------
> > Morris Riedel
> > SW - Engineer
> > Distributed Systems and Grid Computing Division
> > Jülich Supercomputing Centre (JSC)
> > Forschungszentrum Juelich
> > Wilhelm-Johnen-Str. 1
> > D - 52425 Juelich
> > Germany
> >
> > Email: m.riedel at fz-juelich.de <mailto:m.riedel at fz-juelich.de>
> > Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
> > Phone: +49 2461 61 - 3651
> > Fax: +49 2461 61 - 6656
> >
> > Skype: MorrisRiedel
> >
> > "We work to better ourselves, and the rest of humanity"
> >
> > Sitz der Gesellschaft: Jülich
> > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> > Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
> > Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
> > Dr. Ulrich Krafft (stellv. Vorsitzender)
> >
> >
> > >------Original Message-----
> > >-From: pgi-wg-bounces at ogf.org <mailto:pgi-wg-bounces at ogf.org>
> > [mailto:pgi-wg-bounces at ogf.org <mailto:pgi-wg-bounces at ogf.org>] On
> > Behalf Of
> > >-Aleksandr Konstantinov
> > >-Sent: Friday, March 27, 2009 10:49 AM
> > >-To: pgi-wg at ogf.org <mailto:pgi-wg at ogf.org>
> > >-Subject: Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite
> > 3.2released
> > >-today
> > >-
> >
> > >-On Monday 23 March 2009 15:04, Etienne URBAH wrote:
> > >-> To all,
> > >->
> > >-> Concerning various implementations of TLS to handle X509 certificates
> > >-> and proxies, it seems that :
> > >->
> > >-> - DEISA (Unicore) uses the OpenSSL implementation of TLS to process
> > >-> X509 certificates,
> > >->
> > >-> - EGEE (gLite) and NorduGrid (ARC) use the GSI (Globus Security
> > >-> Infrastructure) implementation of TLS to process X509 proxies,
> > >-
> > >-No, ARC uses OpenSSL for TLS data connections and Globus for
> > >-GSI connections (SRM and GridFTP).
> > >-
> > >-
> > >-A.K.
> > >-
> > >-
> > >->
> > >-> - The OpenSSL and GSI implementations of TLS seem to be INCOMPATIBLE
> > >-> (see mails below of Weizhong QIANG and Duane MERRIL).
> > >->
> > >-> This would make any interoperability very difficult.
> > >->
> > >->
> > >-> But the situation is perhaps NOT so desperate :
> > >->
> > >-> - EGEE has just released gLite version 3.2 today 23 March 2009.
> > >->
> > >-> - In slide 3 of the presentation 'Middleware update' performed
> > at CERN
> > >-> GDB on 11 March 2009 and which is available at
> > >->
> > >-http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&c
> > onfId=4
> > <http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&c%0AonfId=4>
> >
> > >-5473
> > >-> Andreas UNTERKIRCHER explains that gLite 3.2 uses VDT 1.10, which
> >
> > >-> uses 'system OpenSSL'.
> > >->
> > >->
> > >-> ==> Can Andreas UNTERKIRCHER provide more precisions, and
> > confirm that
> > >-> this permits interoperability at the X509 level ?
> > >->
> > >-> ==> Can the PGI chairs plan an interoperability test ASAP to
> > check if
> > >-> this really work ?
> > >->
> > >->
> > >-> In hope that the above informations and suggestions are useful.
> > >->
> > >-> Best regards.
> > >->
> > >-> ----------------------------------
> > >-> Etienne URBAH IN2P3 - LAL
> > >-> Bat 200 91898 ORSAY France
> > >-> Tel: +33 1 64 46 84 87
> > >-> Mob: +33 6 22 30 53 27
> > >-> Skype: etienne.urbah
> > >-> mailto:urbah at lal.in2p3.fr <mailto:urbah at lal.in2p3.fr>
> > >-> ----------------------------------
> > >->
> > >->
> > >-> On Mon, 23 Mar 200, Jens Jensen wrote:
> > >-> > 2009/3/20 weizhong qiang <weizhongqiang at gmail.com
> > <mailto:weizhongqiang at gmail.com>>:
> > >-> >> On Fri, Mar 20, 2009 at 3:00 PM, <m.riedel at fz-juelich.de
> > <mailto:m.riedel at fz-juelich.de>> wrote:
> > >-> >> Basically the globus implementation if GSSAPI is about a specific
> > >-> >> context-initiation negotiation, and some data-padding for
> > initiation
> > and
> > >-> >> data-transferring. Also you can accomplish proxy-delegation
> > via it.
> > >-> >> What is for sure is that you can not use client based on
> > normal TLS
> > to talk
> > >-> >> with service which is based on GSSAPI, or vice versa.
> > >-> >> AFAIK, There is some grid service (WS compliant) such as some SRM
> > service
> > >-> >> which uses GSSAPI. (SOAP + HTTP + GSS).
> > >-> >
> > >-> > Some years since I last looked at it in detail but IIRC GSSAPI
> > (RFC2743) is just
> > >-> > a mechanism for establishing security contexts - if you get these
> > >-> > bytes then send
> > >-> > this, etc. Presumably normal TLS can be implemented via GSSAPI as
> > well, see
> > >-> > eg section 5.3 of the RFC
> > >-> > Someone once told me Globus had to deviate from the standard GSSAPI
> > >-> > to implement GSI. If this is true then it's worth documenting, no?
> > >-> > Again long time ago I experimented with the Globus module for
> > GSI and
> > >-> > the lower level Globus GSSAPI. At the time they did not
> > interoperate
> > :-)
> > >-> > Had some discussions with Aleksandr at the time.
> > >-> >
> > >-> > Regards
> > >-> > --jens
> > >->
> > >->
> > >->
> > >-> On Fri, 20 Mar 2009, Duane Merrill wrote:
> > >-> > In theory, rfc-3820 proxy certs should not have any effect on
> > TLS wire
> > >-> > protocol. For various reasons, different versions of GSI-OpenSSH
> > *have*
> > >-> > changed the wire format in different ways. (Shame on them.) Out of
> > >-> > curiosity, are there any published/publicly-availabe
> > descriptions of
> > >-> > these deltas?
> > >-> >
> > >-> > Duane
> > >->
> > >-_______________________________________________
> > >-Pgi-wg mailing list
> > >-Pgi-wg at ogf.org <mailto:Pgi-wg at ogf.org>
> > >-http://www.ogf.org/mailman/listinfo/pgi-wg
> >
> >
> > _______________________________________________
> > Pgi-wg mailing list
> > Pgi-wg at ogf.org <mailto:Pgi-wg at ogf.org>
> > http://www.ogf.org/mailman/listinfo/pgi-wg
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Pgi-wg mailing list
> > Pgi-wg at ogf.org
> > http://www.ogf.org/mailman/listinfo/pgi-wg
>
>
More information about the Pgi-wg
mailing list