Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite 3.2releasedtoday

------Original Message----- -From: Vincenzo Ciaschini [mailto:vincenzo.ciaschini@cnaf.infn.it] -Sent: Friday, March 27, 2009 12:50 PM -To: Morris Riedel -Cc: 'weizhong qiang'; 'Aleksandr Konstantinov'; pgi-wg@ogf.org -Subject: Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite -3.2releasedtoday - -Morris Riedel wrote: -> -> OpenSSL Proxy-based TLSs are different from GSI-Proxy-based TLSs – as -> far as I understood from my interop experiences and from our conversations. -Actually, they are the same. You are thinking about legacy proxies, -which are indeed different. However, from GT4 onward, RFC proxies -(OpenSSL) proxies, are supported. - -Ciao, - Vincenzo -> -> -> -> I thought this has unfortunately not changed yet? -> -> -> -> Take care, -> -> Morris -> -> -> -> ------------------------------------------------------------ -> -> Morris Riedel -> -> SW - Engineer -> -> Distributed Systems and Grid Computing Division -> -> Jülich Supercomputing Centre (JSC) -> -> Forschungszentrum Juelich -> -> Wilhelm-Johnen-Str. 1 -> -> D - 52425 Juelich -> -> Germany -> -> -> -> Email: m.riedel@fz-juelich.de -> -> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel -> -> Phone: +49 2461 61 - 3651 -> -> Fax: +49 2461 61 - 6656 -> -> -> -> Skype: MorrisRiedel -> -> -> -> "We work to better ourselves, and the rest of humanity" -> -> -> -> Sitz der Gesellschaft: Jülich -> -> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 -> -> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe -> -> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), -> -> Dr. Ulrich Krafft (stellv. Vorsitzender) -> -> -> -> *From:* weizhong qiang [mailto:weizhongqiang@gmail.com] -> *Sent:* Friday, March 27, 2009 11:01 AM -> *To:* Morris Riedel -> *Cc:* Aleksandr Konstantinov; pgi-wg@ogf.org -> *Subject:* Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite -> 3.2released today -> -> -> -> -> -> 2009/3/27 Morris Riedel <m.riedel@fz-juelich.de -> <mailto:m.riedel@fz-juelich.de>> -> -> Ok, -> -> and that's why we have to support both in our profiles I guess - correct?! -> -> -> It depends what is the definition of the "both" here. -> -> Weizhong -> -> -> -> -> -> Take care, -> Morris -> -> ------------------------------------------------------------ -> Morris Riedel -> SW - Engineer -> Distributed Systems and Grid Computing Division -> Jülich Supercomputing Centre (JSC) -> Forschungszentrum Juelich -> Wilhelm-Johnen-Str. 1 -> D - 52425 Juelich -> Germany -> -> Email: m.riedel@fz-juelich.de <mailto:m.riedel@fz-juelich.de> -> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel -> Phone: +49 2461 61 - 3651 -> Fax: +49 2461 61 - 6656 -> -> Skype: MorrisRiedel -> -> "We work to better ourselves, and the rest of humanity" -> -> Sitz der Gesellschaft: Jülich -> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 -> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe -> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), -> Dr. Ulrich Krafft (stellv. Vorsitzender) -> -> -> >------Original Message----- -> >-From: pgi-wg-bounces@ogf.org <mailto:pgi-wg-bounces@ogf.org> -> [mailto:pgi-wg-bounces@ogf.org <mailto:pgi-wg-bounces@ogf.org>] On -> Behalf Of -> >-Aleksandr Konstantinov -> >-Sent: Friday, March 27, 2009 10:49 AM -> >-To: pgi-wg@ogf.org <mailto:pgi-wg@ogf.org> -> >-Subject: Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite -> 3.2released -> >-today -> >- -> -> >-On Monday 23 March 2009 15:04, Etienne URBAH wrote: -> >-> To all, -> >-> -> >-> Concerning various implementations of TLS to handle X509 certificates -> >-> and proxies, it seems that : -> >-> -> >-> - DEISA (Unicore) uses the OpenSSL implementation of TLS to

-> >-> X509 certificates, -> >-> -> >-> - EGEE (gLite) and NorduGrid (ARC) use the GSI (Globus Security -> >-> Infrastructure) implementation of TLS to process X509 proxies, -> >- -> >-No, ARC uses OpenSSL for TLS data connections and Globus for -> >-GSI connections (SRM and GridFTP). -> >- -> >- -> >-A.K. -> >- -> >- -> >-> -> >-> - The OpenSSL and GSI implementations of TLS seem to be -INCOMPATIBLE -> >-> (see mails below of Weizhong QIANG and Duane MERRIL). -> >-> -> >-> This would make any interoperability very difficult. -> >-> -> >-> -> >-> But the situation is perhaps NOT so desperate : -> >-> -> >-> - EGEE has just released gLite version 3.2 today 23 March 2009. -> >-> -> >-> - In slide 3 of the presentation 'Middleware update' performed -> at CERN -> >-> GDB on 11 March 2009 and which is available at -> >-> -> -http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&c -> onfId=4 -> -<http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0& c%0Ao -nfId=4> -> -> >-5473 -> >-> Andreas UNTERKIRCHER explains that gLite 3.2 uses VDT 1.10, which -> -> >-> uses 'system OpenSSL'. -> >-> -> >-> -> >-> ==> Can Andreas UNTERKIRCHER provide more precisions, and -> confirm that -> >-> this permits interoperability at the X509 level ? -> >-> -> >-> ==> Can the PGI chairs plan an interoperability test ASAP to -> check if -> >-> this really work ? -> >-> -> >-> -> >-> In hope that the above informations and suggestions are useful. -> >-> -> >-> Best regards. -> >-> -> >-> ---------------------------------- -> >-> Etienne URBAH IN2P3 - LAL -> >-> Bat 200 91898 ORSAY France -> >-> Tel: +33 1 64 46 84 87 -> >-> Mob: +33 6 22 30 53 27 -> >-> Skype: etienne.urbah -> >-> mailto:urbah@lal.in2p3.fr <mailto:urbah@lal.in2p3.fr> -> >-> ---------------------------------- -> >-> -> >-> -> >-> On Mon, 23 Mar 200, Jens Jensen wrote: -> >-> > 2009/3/20 weizhong qiang <weizhongqiang@gmail.com -> <mailto:weizhongqiang@gmail.com>>: -> >-> >> On Fri, Mar 20, 2009 at 3:00 PM, <m.riedel@fz-juelich.de -> <mailto:m.riedel@fz-juelich.de>> wrote: -> >-> >> Basically the globus implementation if GSSAPI is about a specific -> >-> >> context-initiation negotiation, and some data-padding for -> initiation -> and -> >-> >> data-transferring. Also you can accomplish proxy-delegation -> via it. -> >-> >> What is for sure is that you can not use client based on -> normal TLS -> to talk -> >-> >> with service which is based on GSSAPI, or vice versa. -> >-> >> AFAIK, There is some grid service (WS compliant) such as some SRM -> service -> >-> >> which uses GSSAPI. (SOAP + HTTP + GSS). -> >-> > -> >-> > Some years since I last looked at it in detail but IIRC GSSAPI -> (RFC2743) is just -> >-> > a mechanism for establishing security contexts - if you get

Dear Vincenzo, that's good news - however are there production systems out there that may not depend on GT4, e.g. gLite using older proxies? My next question would be if SRM does see this in the same way? Take care, Morris ------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656 Skype: MorrisRiedel "We work to better ourselves, and the rest of humanity" Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender) process these

-> >-> > bytes then send -> >-> > this, etc. Presumably normal TLS can be implemented via GSSAPI as -> well, see -> >-> > eg section 5.3 of the RFC -> >-> > Someone once told me Globus had to deviate from the standard GSSAPI -> >-> > to implement GSI. If this is true then it's worth documenting, no? -> >-> > Again long time ago I experimented with the Globus module for -> GSI and -> >-> > the lower level Globus GSSAPI. At the time they did not -> interoperate -> :-) -> >-> > Had some discussions with Aleksandr at the time. -> >-> > -> >-> > Regards -> >-> > --jens -> >-> -> >-> -> >-> -> >-> On Fri, 20 Mar 2009, Duane Merrill wrote: -> >-> > In theory, rfc-3820 proxy certs should not have any effect on -> TLS wire -> >-> > protocol. For various reasons, different versions of GSI-OpenSSH -> *have* -> >-> > changed the wire format in different ways. (Shame on them.) Out of -> >-> > curiosity, are there any published/publicly-availabe -> descriptions of -> >-> > these deltas? -> >-> > -> >-> > Duane -> >-> -> >-_______________________________________________ -> >-Pgi-wg mailing list -> >-Pgi-wg@ogf.org <mailto:Pgi-wg@ogf.org> -> >-http://www.ogf.org/mailman/listinfo/pgi-wg -> -> -> _______________________________________________ -> Pgi-wg mailing list -> Pgi-wg@ogf.org <mailto:Pgi-wg@ogf.org> -> http://www.ogf.org/mailman/listinfo/pgi-wg -> -> -> -> -> ------------------------------------------------------------------------ -> -> _______________________________________________ -> Pgi-wg mailing list -> Pgi-wg@ogf.org -> http://www.ogf.org/mailman/listinfo/pgi-wg