[Pgi-wg] TLS : OpenSSL and GSI implementations - gLite 3.2releasedtoday
Morris Riedel
m.riedel at fz-juelich.de
Fri Mar 27 07:36:05 CDT 2009
Dear Vincenzo,
that's good news - however are there production systems out there that may
not depend on GT4, e.g. gLite using older proxies?
My next question would be if SRM does see this in the same way?
Take care,
Morris
------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Jülich Supercomputing Centre (JSC)
Forschungszentrum Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany
Email: m.riedel at fz-juelich.de
Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656
Skype: MorrisRiedel
"We work to better ourselves, and the rest of humanity"
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender)
>------Original Message-----
>-From: Vincenzo Ciaschini [mailto:vincenzo.ciaschini at cnaf.infn.it]
>-Sent: Friday, March 27, 2009 12:50 PM
>-To: Morris Riedel
>-Cc: 'weizhong qiang'; 'Aleksandr Konstantinov'; pgi-wg at ogf.org
>-Subject: Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite
>-3.2releasedtoday
>-
>-Morris Riedel wrote:
>->
>-> OpenSSL Proxy-based TLSs are different from GSI-Proxy-based TLSs – as
>-> far as I understood from my interop experiences and from our
conversations.
>-Actually, they are the same. You are thinking about legacy proxies,
>-which are indeed different. However, from GT4 onward, RFC proxies
>-(OpenSSL) proxies, are supported.
>-
>-Ciao,
>- Vincenzo
>->
>->
>->
>-> I thought this has unfortunately not changed yet?
>->
>->
>->
>-> Take care,
>->
>-> Morris
>->
>->
>->
>-> ------------------------------------------------------------
>->
>-> Morris Riedel
>->
>-> SW - Engineer
>->
>-> Distributed Systems and Grid Computing Division
>->
>-> Jülich Supercomputing Centre (JSC)
>->
>-> Forschungszentrum Juelich
>->
>-> Wilhelm-Johnen-Str. 1
>->
>-> D - 52425 Juelich
>->
>-> Germany
>->
>->
>->
>-> Email: m.riedel at fz-juelich.de
>->
>-> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
>->
>-> Phone: +49 2461 61 - 3651
>->
>-> Fax: +49 2461 61 - 6656
>->
>->
>->
>-> Skype: MorrisRiedel
>->
>->
>->
>-> "We work to better ourselves, and the rest of humanity"
>->
>->
>->
>-> Sitz der Gesellschaft: Jülich
>->
>-> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
>->
>-> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
>->
>-> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
>->
>-> Dr. Ulrich Krafft (stellv. Vorsitzender)
>->
>->
>->
>-> *From:* weizhong qiang [mailto:weizhongqiang at gmail.com]
>-> *Sent:* Friday, March 27, 2009 11:01 AM
>-> *To:* Morris Riedel
>-> *Cc:* Aleksandr Konstantinov; pgi-wg at ogf.org
>-> *Subject:* Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite
>-> 3.2released today
>->
>->
>->
>->
>->
>-> 2009/3/27 Morris Riedel <m.riedel at fz-juelich.de
>-> <mailto:m.riedel at fz-juelich.de>>
>->
>-> Ok,
>->
>-> and that's why we have to support both in our profiles I guess -
correct?!
>->
>->
>-> It depends what is the definition of the "both" here.
>->
>-> Weizhong
>->
>->
>->
>->
>->
>-> Take care,
>-> Morris
>->
>-> ------------------------------------------------------------
>-> Morris Riedel
>-> SW - Engineer
>-> Distributed Systems and Grid Computing Division
>-> Jülich Supercomputing Centre (JSC)
>-> Forschungszentrum Juelich
>-> Wilhelm-Johnen-Str. 1
>-> D - 52425 Juelich
>-> Germany
>->
>-> Email: m.riedel at fz-juelich.de <mailto:m.riedel at fz-juelich.de>
>-> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
>-> Phone: +49 2461 61 - 3651
>-> Fax: +49 2461 61 - 6656
>->
>-> Skype: MorrisRiedel
>->
>-> "We work to better ourselves, and the rest of humanity"
>->
>-> Sitz der Gesellschaft: Jülich
>-> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
>-> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
>-> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
>-> Dr. Ulrich Krafft (stellv. Vorsitzender)
>->
>->
>-> >------Original Message-----
>-> >-From: pgi-wg-bounces at ogf.org <mailto:pgi-wg-bounces at ogf.org>
>-> [mailto:pgi-wg-bounces at ogf.org <mailto:pgi-wg-bounces at ogf.org>] On
>-> Behalf Of
>-> >-Aleksandr Konstantinov
>-> >-Sent: Friday, March 27, 2009 10:49 AM
>-> >-To: pgi-wg at ogf.org <mailto:pgi-wg at ogf.org>
>-> >-Subject: Re: [Pgi-wg] TLS : OpenSSL and GSI implementations -
gLite
>-> 3.2released
>-> >-today
>-> >-
>->
>-> >-On Monday 23 March 2009 15:04, Etienne URBAH wrote:
>-> >-> To all,
>-> >->
>-> >-> Concerning various implementations of TLS to handle X509
certificates
>-> >-> and proxies, it seems that :
>-> >->
>-> >-> - DEISA (Unicore) uses the OpenSSL implementation of TLS to
process
>-> >-> X509 certificates,
>-> >->
>-> >-> - EGEE (gLite) and NorduGrid (ARC) use the GSI (Globus Security
>-> >-> Infrastructure) implementation of TLS to process X509 proxies,
>-> >-
>-> >-No, ARC uses OpenSSL for TLS data connections and Globus for
>-> >-GSI connections (SRM and GridFTP).
>-> >-
>-> >-
>-> >-A.K.
>-> >-
>-> >-
>-> >->
>-> >-> - The OpenSSL and GSI implementations of TLS seem to be
>-INCOMPATIBLE
>-> >-> (see mails below of Weizhong QIANG and Duane MERRIL).
>-> >->
>-> >-> This would make any interoperability very difficult.
>-> >->
>-> >->
>-> >-> But the situation is perhaps NOT so desperate :
>-> >->
>-> >-> - EGEE has just released gLite version 3.2 today 23 March 2009.
>-> >->
>-> >-> - In slide 3 of the presentation 'Middleware update' performed
>-> at CERN
>-> >-> GDB on 11 March 2009 and which is available at
>-> >->
>->
>-http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&c
>-> onfId=4
>->
>-<http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&
c%0Ao
>-nfId=4>
>->
>-> >-5473
>-> >-> Andreas UNTERKIRCHER explains that gLite 3.2 uses VDT 1.10,
which
>->
>-> >-> uses 'system OpenSSL'.
>-> >->
>-> >->
>-> >-> ==> Can Andreas UNTERKIRCHER provide more precisions, and
>-> confirm that
>-> >-> this permits interoperability at the X509 level ?
>-> >->
>-> >-> ==> Can the PGI chairs plan an interoperability test ASAP to
>-> check if
>-> >-> this really work ?
>-> >->
>-> >->
>-> >-> In hope that the above informations and suggestions are useful.
>-> >->
>-> >-> Best regards.
>-> >->
>-> >-> ----------------------------------
>-> >-> Etienne URBAH IN2P3 - LAL
>-> >-> Bat 200 91898 ORSAY France
>-> >-> Tel: +33 1 64 46 84 87
>-> >-> Mob: +33 6 22 30 53 27
>-> >-> Skype: etienne.urbah
>-> >-> mailto:urbah at lal.in2p3.fr <mailto:urbah at lal.in2p3.fr>
>-> >-> ----------------------------------
>-> >->
>-> >->
>-> >-> On Mon, 23 Mar 200, Jens Jensen wrote:
>-> >-> > 2009/3/20 weizhong qiang <weizhongqiang at gmail.com
>-> <mailto:weizhongqiang at gmail.com>>:
>-> >-> >> On Fri, Mar 20, 2009 at 3:00 PM, <m.riedel at fz-juelich.de
>-> <mailto:m.riedel at fz-juelich.de>> wrote:
>-> >-> >> Basically the globus implementation if GSSAPI is about a
specific
>-> >-> >> context-initiation negotiation, and some data-padding for
>-> initiation
>-> and
>-> >-> >> data-transferring. Also you can accomplish proxy-delegation
>-> via it.
>-> >-> >> What is for sure is that you can not use client based on
>-> normal TLS
>-> to talk
>-> >-> >> with service which is based on GSSAPI, or vice versa.
>-> >-> >> AFAIK, There is some grid service (WS compliant) such as some
SRM
>-> service
>-> >-> >> which uses GSSAPI. (SOAP + HTTP + GSS).
>-> >-> >
>-> >-> > Some years since I last looked at it in detail but IIRC GSSAPI
>-> (RFC2743) is just
>-> >-> > a mechanism for establishing security contexts - if you get
these
>-> >-> > bytes then send
>-> >-> > this, etc. Presumably normal TLS can be implemented via
GSSAPI as
>-> well, see
>-> >-> > eg section 5.3 of the RFC
>-> >-> > Someone once told me Globus had to deviate from the standard
GSSAPI
>-> >-> > to implement GSI. If this is true then it's worth documenting,
no?
>-> >-> > Again long time ago I experimented with the Globus module for
>-> GSI and
>-> >-> > the lower level Globus GSSAPI. At the time they did not
>-> interoperate
>-> :-)
>-> >-> > Had some discussions with Aleksandr at the time.
>-> >-> >
>-> >-> > Regards
>-> >-> > --jens
>-> >->
>-> >->
>-> >->
>-> >-> On Fri, 20 Mar 2009, Duane Merrill wrote:
>-> >-> > In theory, rfc-3820 proxy certs should not have any effect on
>-> TLS wire
>-> >-> > protocol. For various reasons, different versions of
GSI-OpenSSH
>-> *have*
>-> >-> > changed the wire format in different ways. (Shame on them.)
Out of
>-> >-> > curiosity, are there any published/publicly-availabe
>-> descriptions of
>-> >-> > these deltas?
>-> >-> >
>-> >-> > Duane
>-> >->
>-> >-_______________________________________________
>-> >-Pgi-wg mailing list
>-> >-Pgi-wg at ogf.org <mailto:Pgi-wg at ogf.org>
>-> >-http://www.ogf.org/mailman/listinfo/pgi-wg
>->
>->
>-> _______________________________________________
>-> Pgi-wg mailing list
>-> Pgi-wg at ogf.org <mailto:Pgi-wg at ogf.org>
>-> http://www.ogf.org/mailman/listinfo/pgi-wg
>->
>->
>->
>->
>-> ------------------------------------------------------------------------
>->
>-> _______________________________________________
>-> Pgi-wg mailing list
>-> Pgi-wg at ogf.org
>-> http://www.ogf.org/mailman/listinfo/pgi-wg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3550 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20090327/2fac0087/attachment-0001.bin
More information about the Pgi-wg
mailing list