[Pgi-wg] TLS : OpenSSL and GSI implementations - gLite 3.2released today
weizhong qiang
weizhongqiang at gmail.com
Fri Mar 27 09:37:46 CDT 2009
On Fri, Mar 27, 2009 at 2:36 PM, Vincenzo Ciaschini <
vincenzo.ciaschini at cnaf.infn.it> wrote:
> Aleksandr Konstantinov wrote:
> > On Friday 27 March 2009 13:49, you wrote:
> >> Morris Riedel wrote:
> >>> OpenSSL Proxy-based TLSs are different from GSI-Proxy-based TLSs – as
> >>> far as I understood from my interop experiences and from our
> conversations.
> >> Actually, they are the same. You are thinking about legacy proxies,
> >> which are indeed different. However, from GT4 onward, RFC proxies
> >> (OpenSSL) proxies, are supported.
> >
> > I think it was about wire protocol and not about proxies. AFAIK many of
> us have learned
> > from own experience that those are incompatible. At least as implemented
> by Globus.
> Well, yes and no.
>
> Assuming the proxies are not the problem, then you should be aware of
> the possibility of an extra message, "0" or "D" being sent from a GSI
> client immediately after the connection is successfully established.
>
> On the other hand, a GSI server expects this message after connection
> establishment, so a SSL client should send it.
>
> Specifying the SSL compatibility flag among the GSI option, this extra
> message should not be sent (modulo possible bugs)
That is a good news to know. I just also googled some information :
http://bugzilla.globus.org/globus/show_bug.cgi?id=3036
It would also be nice if voms server can support pure TLS compatibility, so
that the client (other than voms client like voms-proxy-init) that talks
voms protocol, while uses TLS instead of globus GSSAPI, can also
interoperate with voms server.
Weizhong Qiang
>
>
> Ciao,
> Vincenzo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/pgi-wg/attachments/20090327/8c1a18c0/attachment.html
More information about the Pgi-wg
mailing list