[Pgi-wg] TLS : OpenSSL and GSI implementations - gLite 3.2released today
Morris Riedel
m.riedel at fz-juelich.de
Fri Mar 27 07:40:10 CDT 2009
I backup this statement... maybe its because we mixup old globus and new
globus elements....
------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Jülich Supercomputing Centre (JSC)
Forschungszentrum Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany
Email: m.riedel at fz-juelich.de
Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656
Skype: MorrisRiedel
"We work to better ourselves, and the rest of humanity"
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender)
>------Original Message-----
>-From: pgi-wg-bounces at ogf.org [mailto:pgi-wg-bounces at ogf.org] On Behalf Of
>-Aleksandr Konstantinov
>-Sent: Friday, March 27, 2009 1:34 PM
>-To: Pgi-wg at ogf.org
>-Subject: Re: [Pgi-wg]TLS : OpenSSL and GSI implementations - gLite
3.2released
>-today
>-
>-On Friday 27 March 2009 13:49, you wrote:
>-> Morris Riedel wrote:
>-> >
>-> > OpenSSL Proxy-based TLSs are different from GSI-Proxy-based TLSs – as
>-> > far as I understood from my interop experiences and from our
conversations.
>-> Actually, they are the same. You are thinking about legacy proxies,
>-> which are indeed different. However, from GT4 onward, RFC proxies
>-> (OpenSSL) proxies, are supported.
>-
>-I think it was about wire protocol and not about proxies. AFAIK many of us
have
>-learned
>-from own experience that those are incompatible. At least as implemented
by
>-Globus.
>-
>-
>-A.K.
>-
>-
>->
>-> Ciao,
>-> Vincenzo
>-> >
>-> >
>-> >
>-> > I thought this has unfortunately not changed yet?
>-> >
>-> >
>-> >
>-> > Take care,
>-> >
>-> > Morris
>-> >
>-> >
>-> >
>-> > ------------------------------------------------------------
>-> >
>-> > Morris Riedel
>-> >
>-> > SW - Engineer
>-> >
>-> > Distributed Systems and Grid Computing Division
>-> >
>-> > Jülich Supercomputing Centre (JSC)
>-> >
>-> > Forschungszentrum Juelich
>-> >
>-> > Wilhelm-Johnen-Str. 1
>-> >
>-> > D - 52425 Juelich
>-> >
>-> > Germany
>-> >
>-> >
>-> >
>-> > Email: m.riedel at fz-juelich.de
>-> >
>-> > Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
>-> >
>-> > Phone: +49 2461 61 - 3651
>-> >
>-> > Fax: +49 2461 61 - 6656
>-> >
>-> >
>-> >
>-> > Skype: MorrisRiedel
>-> >
>-> >
>-> >
>-> > "We work to better ourselves, and the rest of humanity"
>-> >
>-> >
>-> >
>-> > Sitz der Gesellschaft: Jülich
>-> >
>-> > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
>-> >
>-> > Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
>-> >
>-> > Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
>-> >
>-> > Dr. Ulrich Krafft (stellv. Vorsitzender)
>-> >
>-> >
>-> >
>-> > *From:* weizhong qiang [mailto:weizhongqiang at gmail.com]
>-> > *Sent:* Friday, March 27, 2009 11:01 AM
>-> > *To:* Morris Riedel
>-> > *Cc:* Aleksandr Konstantinov; pgi-wg at ogf.org
>-> > *Subject:* Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite
>-> > 3.2released today
>-> >
>-> >
>-> >
>-> >
>-> >
>-> > 2009/3/27 Morris Riedel <m.riedel at fz-juelich.de
>-> > <mailto:m.riedel at fz-juelich.de>>
>-> >
>-> > Ok,
>-> >
>-> > and that's why we have to support both in our profiles I guess -
correct?!
>-> >
>-> >
>-> > It depends what is the definition of the "both" here.
>-> >
>-> > Weizhong
>-> >
>-> >
>-> >
>-> >
>-> >
>-> > Take care,
>-> > Morris
>-> >
>-> > ------------------------------------------------------------
>-> > Morris Riedel
>-> > SW - Engineer
>-> > Distributed Systems and Grid Computing Division
>-> > Jülich Supercomputing Centre (JSC)
>-> > Forschungszentrum Juelich
>-> > Wilhelm-Johnen-Str. 1
>-> > D - 52425 Juelich
>-> > Germany
>-> >
>-> > Email: m.riedel at fz-juelich.de <mailto:m.riedel at fz-juelich.de>
>-> > Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
>-> > Phone: +49 2461 61 - 3651
>-> > Fax: +49 2461 61 - 6656
>-> >
>-> > Skype: MorrisRiedel
>-> >
>-> > "We work to better ourselves, and the rest of humanity"
>-> >
>-> > Sitz der Gesellschaft: Jülich
>-> > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B
3498
>-> > Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
>-> > Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
>-> > Dr. Ulrich Krafft (stellv. Vorsitzender)
>-> >
>-> >
>-> > >------Original Message-----
>-> > >-From: pgi-wg-bounces at ogf.org <mailto:pgi-wg-bounces at ogf.org>
>-> > [mailto:pgi-wg-bounces at ogf.org <mailto:pgi-wg-bounces at ogf.org>] On
>-> > Behalf Of
>-> > >-Aleksandr Konstantinov
>-> > >-Sent: Friday, March 27, 2009 10:49 AM
>-> > >-To: pgi-wg at ogf.org <mailto:pgi-wg at ogf.org>
>-> > >-Subject: Re: [Pgi-wg] TLS : OpenSSL and GSI implementations -
gLite
>-> > 3.2released
>-> > >-today
>-> > >-
>-> >
>-> > >-On Monday 23 March 2009 15:04, Etienne URBAH wrote:
>-> > >-> To all,
>-> > >->
>-> > >-> Concerning various implementations of TLS to handle X509
certificates
>-> > >-> and proxies, it seems that :
>-> > >->
>-> > >-> - DEISA (Unicore) uses the OpenSSL implementation of TLS to
process
>-> > >-> X509 certificates,
>-> > >->
>-> > >-> - EGEE (gLite) and NorduGrid (ARC) use the GSI (Globus
Security
>-> > >-> Infrastructure) implementation of TLS to process X509 proxies,
>-> > >-
>-> > >-No, ARC uses OpenSSL for TLS data connections and Globus for
>-> > >-GSI connections (SRM and GridFTP).
>-> > >-
>-> > >-
>-> > >-A.K.
>-> > >-
>-> > >-
>-> > >->
>-> > >-> - The OpenSSL and GSI implementations of TLS seem to be
>-INCOMPATIBLE
>-> > >-> (see mails below of Weizhong QIANG and Duane MERRIL).
>-> > >->
>-> > >-> This would make any interoperability very difficult.
>-> > >->
>-> > >->
>-> > >-> But the situation is perhaps NOT so desperate :
>-> > >->
>-> > >-> - EGEE has just released gLite version 3.2 today 23 March
2009.
>-> > >->
>-> > >-> - In slide 3 of the presentation 'Middleware update'
performed
>-> > at CERN
>-> > >-> GDB on 11 March 2009 and which is available at
>-> > >->
>-> > >-
>-http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&c
>-> > onfId=4
>-> >
>-<http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&
c%0Ao
>-nfId=4>
>-> >
>-> > >-5473
>-> > >-> Andreas UNTERKIRCHER explains that gLite 3.2 uses VDT
1.10,
>-which
>-> >
>-> > >-> uses 'system OpenSSL'.
>-> > >->
>-> > >->
>-> > >-> ==> Can Andreas UNTERKIRCHER provide more precisions, and
>-> > confirm that
>-> > >-> this permits interoperability at the X509 level ?
>-> > >->
>-> > >-> ==> Can the PGI chairs plan an interoperability test ASAP to
>-> > check if
>-> > >-> this really work ?
>-> > >->
>-> > >->
>-> > >-> In hope that the above informations and suggestions are
useful.
>-> > >->
>-> > >-> Best regards.
>-> > >->
>-> > >-> ----------------------------------
>-> > >-> Etienne URBAH IN2P3 - LAL
>-> > >-> Bat 200 91898 ORSAY France
>-> > >-> Tel: +33 1 64 46 84 87
>-> > >-> Mob: +33 6 22 30 53 27
>-> > >-> Skype: etienne.urbah
>-> > >-> mailto:urbah at lal.in2p3.fr <mailto:urbah at lal.in2p3.fr>
>-> > >-> ----------------------------------
>-> > >->
>-> > >->
>-> > >-> On Mon, 23 Mar 200, Jens Jensen wrote:
>-> > >-> > 2009/3/20 weizhong qiang <weizhongqiang at gmail.com
>-> > <mailto:weizhongqiang at gmail.com>>:
>-> > >-> >> On Fri, Mar 20, 2009 at 3:00 PM, <m.riedel at fz-juelich.de
>-> > <mailto:m.riedel at fz-juelich.de>> wrote:
>-> > >-> >> Basically the globus implementation if GSSAPI is about a
specific
>-> > >-> >> context-initiation negotiation, and some data-padding for
>-> > initiation
>-> > and
>-> > >-> >> data-transferring. Also you can accomplish proxy-delegation
>-> > via it.
>-> > >-> >> What is for sure is that you can not use client based on
>-> > normal TLS
>-> > to talk
>-> > >-> >> with service which is based on GSSAPI, or vice versa.
>-> > >-> >> AFAIK, There is some grid service (WS compliant) such as
some
>-SRM
>-> > service
>-> > >-> >> which uses GSSAPI. (SOAP + HTTP + GSS).
>-> > >-> >
>-> > >-> > Some years since I last looked at it in detail but IIRC
GSSAPI
>-> > (RFC2743) is just
>-> > >-> > a mechanism for establishing security contexts - if you get
these
>-> > >-> > bytes then send
>-> > >-> > this, etc. Presumably normal TLS can be implemented via
GSSAPI as
>-> > well, see
>-> > >-> > eg section 5.3 of the RFC
>-> > >-> > Someone once told me Globus had to deviate from the standard
>-GSSAPI
>-> > >-> > to implement GSI. If this is true then it's worth
documenting, no?
>-> > >-> > Again long time ago I experimented with the Globus module
for
>-> > GSI and
>-> > >-> > the lower level Globus GSSAPI. At the time they did not
>-> > interoperate
>-> > :-)
>-> > >-> > Had some discussions with Aleksandr at the time.
>-> > >-> >
>-> > >-> > Regards
>-> > >-> > --jens
>-> > >->
>-> > >->
>-> > >->
>-> > >-> On Fri, 20 Mar 2009, Duane Merrill wrote:
>-> > >-> > In theory, rfc-3820 proxy certs should not have any effect
on
>-> > TLS wire
>-> > >-> > protocol. For various reasons, different versions of
GSI-OpenSSH
>-> > *have*
>-> > >-> > changed the wire format in different ways. (Shame on them.)
Out of
>-> > >-> > curiosity, are there any published/publicly-availabe
>-> > descriptions of
>-> > >-> > these deltas?
>-> > >-> >
>-> > >-> > Duane
>-> > >->
>-> > >-_______________________________________________
>-> > >-Pgi-wg mailing list
>-> > >-Pgi-wg at ogf.org <mailto:Pgi-wg at ogf.org>
>-> > >-http://www.ogf.org/mailman/listinfo/pgi-wg
>-> >
>-> >
>-> > _______________________________________________
>-> > Pgi-wg mailing list
>-> > Pgi-wg at ogf.org <mailto:Pgi-wg at ogf.org>
>-> > http://www.ogf.org/mailman/listinfo/pgi-wg
>-> >
>-> >
>-> >
>-> >
>-> >
------------------------------------------------------------------------
>-> >
>-> > _______________________________________________
>-> > Pgi-wg mailing list
>-> > Pgi-wg at ogf.org
>-> > http://www.ogf.org/mailman/listinfo/pgi-wg
>->
>->
>-_______________________________________________
>-Pgi-wg mailing list
>-Pgi-wg at ogf.org
>-http://www.ogf.org/mailman/listinfo/pgi-wg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3550 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20090327/79de5f0d/attachment.bin
More information about the Pgi-wg
mailing list