Dear All, Globus is planning to change the default client-side algorithm for checking the server’s identity used by GridFTP, MyProxy, GSI-OpenSSH, and GRAM. The new algorithm performs identity matching as described in section 3.1 of RFC 2818 (https://tools.ietf.org/html/rfc2818#section-3.1), the standard describing TLS use with HTTP. This involves a change in the globus-gssapi-gsi library, and will apply to any application that uses the updated library.
The new “strict mode” algorithm will be more strict in its enforcement, checking that the server’s certificate identity matches the hostname that the client uses to contact the service. Once clients are configured for strict mode, client authentication (of any Globus service) would fail if the service is using a certificate that does not match the hostname that the client used to contact the service. This change will bring our identity checking algorithm in line with RFC 2818, and will also close the door to reverse DNS lookup related attack vectors. As an example of why relying on reverse DNS for making security related decisions is not recommended, see this link: https://cwe.mitre.org/data/definitions/350.html. The Globus team has checked the host certificates used for a number of GridFTP endpoints and found that many are _not_ RFC 2818 compatible. These incompatible certificates will need to be replaced prior to clients defaulting to the new strict mode algorithm. We are reaching out to request that Globus service admins check their host certificates and update them if necessary. We are asking admins to replace any incompatible certificates by Mar 1, 2016. After March 1, we will release updated Globus Toolkit components that will change the default client authorization algorithm to strict mode. At that time, the Globus.org transfer service will also update its identity checking algorithm. This should ensure no service disruptions for the Globus community. Note: Globus Connect Server installations that use the Globus provided certificate are not affected and do not have to make any changes to their Globus Connect Server endpoint(s). We have created a page where additional details about this change will be communicated: https://docs.globus.org/security-bulletins/2015-12-strict-mode/ The above page includes common reasons for incompatibilities and how to check for compatibility. If you have any questions or concerns regarding this planned change, please contact us at supp...@globus.org. - The Globus team
