Two more comments embedded: > However, further testing revealed that, in some cases, client > code that used > The "old" cog-jglobus.jar was unable to connect with a > service that used my > "new" cog-jglobus.jar. Replacing the "old" cog-jglobus.jar > on the client > side with my "new" version resolved the connectivity problem. > But this > unexpected break in backward compatibility called for closer > examination of > the code.
I would expect that if you enable privacy in your clients with old CoG jar, this should work against your new server. In effect, your new CoG jar is forcing the server to always use the encryption option. The current CoG code (on your client side) disables NULL ciphers if privacy (encryption) is requested and should be able to establish a common cipher and hence handshake with the new server. > The GlobusGSSContextImpl.java code obtained from CVS always > includes a NULL > cipher suite in the SSL policy. I think this is questionable > because, for > example, a client might be able to force the use of a NULL > cipher (i.e. > unencrypted connection), even if the service is configured > for privacy via > GSITransport. > > The GlobusGSSContextImpl.java code from CVS has another questionable > feature, in that, under some circumstances, the only cipher > suite it allows > is a NULL one. This would cause the connection to fail if > the other side > does not allow the NULL cipher suite (as in my "new" cog-jglobus.jar). The circumstance where only NULL ciphers are allowed is when privacy is disabled by the client. Above comments do no change the need for enforcing a accepted list of ciphers on the server side. Rachana > > The use of NULL cipher suites in GlobusGSSContextImpl.java seems very > strange to me, especially with regard to the concept of privacy via > GSITransport. Right now, I can't think of any reason I would > ever want to > use a NULL cipher suite on my secure web service. Am I > missing something > here? Could this be considered a bug (or bugs)? > > Other notes: > > - jglobus code was acquired via anonymous CVS, as illustrated > on the COG > JGlobus 1.2 page: http://dev.globus.org/wiki/CoG_JGlobus_1.2 > - There was no CVS tag for globus_4_0_8, so I used the most > recent code > from the globus_4_0_branch, as of September 24, 2008 > > Best regards, > Joel >
