Hi All, Here is a reminder about this deadline and upcoming change.
Admins should check their host certificates and update them if necessary. Replace any incompatible certificates by Mar 1, 2016. To allow a bit of a buffer between the service-side certificate update deadline and clients beginning to use strict mode, updates will be made to the Globus Toolkit to default the client-side algorithm to strict mode on Tuesday, April 5, 2016. - The Globus Team > On Dec 1, 2015, at 2:50 PM, Stuart Martin <smar...@mcs.anl.gov> wrote: > > Dear All, > > Globus is planning to change the default client-side algorithm for checking > the server’s identity used by GridFTP, MyProxy, GSI-OpenSSH, and GRAM. The > new algorithm performs identity matching as described in section 3.1 of RFC > 2818 (https://tools.ietf.org/html/rfc2818#section-3.1), the standard > describing TLS use with HTTP. This involves a change in the > globus-gssapi-gsi library, and will apply to any application that uses the > updated library. > > The new “strict mode” algorithm will be more strict in its enforcement, > checking that the server’s certificate identity matches the hostname that the > client uses to contact the service. Once clients are configured for strict > mode, client authentication (of any Globus service) would fail if the service > is using a certificate that does not match the hostname that the client used > to contact the service. > > This change will bring our identity checking algorithm in line with RFC 2818, > and will also close the door to reverse DNS lookup related attack vectors. As > an example of why relying on reverse DNS for making security related > decisions is not recommended, see this link: > https://cwe.mitre.org/data/definitions/350.html. > > The Globus team has checked the host certificates used for a number of > GridFTP endpoints and found that many are _not_ RFC 2818 compatible. These > incompatible certificates will need to be replaced prior to clients > defaulting to the new strict mode algorithm. > > We are reaching out to request that Globus service admins check their host > certificates and update them if necessary. We are asking admins to replace > any incompatible certificates by Mar 1, 2016. After March 1, we will release > updated Globus Toolkit components that will change the default client > authorization algorithm to strict mode. At that time, the Globus.org > transfer service will also update its identity checking algorithm. This > should ensure no service disruptions for the Globus community. > > Note: Globus Connect Server installations that use the Globus provided > certificate are not affected and do not have to make any changes to their > Globus Connect Server endpoint(s). > > We have created a page where additional details about this change will be > communicated: > https://docs.globus.org/security-bulletins/2015-12-strict-mode/ > The above page includes common reasons for incompatibilities and how to check > for compatibility. > > If you have any questions or concerns regarding this planned change, please > contact us at supp...@globus.org. > > - The Globus team
