Hi All,
I have been informed that some organizations need more time to update their
host certificates to be compliant with the new strict mode algorithm. To
maintain compatibility throughout the Globus community, this update to the
Globus Toolkit has been rescheduled for May 3.
I encourage everyone to test their host certificates now and update them if
necessary. See this page for details:
https://docs.globus.org/security-bulletins/2015-12-strict-mode/
<https://docs.globus.org/security-bulletins/2015-12-strict-mode/>
- The Globus Team
> On Feb 4, 2016, at 5:21 PM, Stuart Martin <smar...@mcs.anl.gov> wrote:
>
> Hi All,
>
> Here is a reminder about this deadline and upcoming change.
>
> Admins should check their host certificates and update them if necessary.
> Replace any incompatible certificates by Mar 1, 2016.
>
> To allow a bit of a buffer between the service-side certificate update
> deadline and clients beginning to use strict mode, updates will be made to
> the Globus Toolkit to default the client-side algorithm to strict mode on
> Tuesday, April 5, 2016.
>
> - The Globus Team
>
>> On Dec 1, 2015, at 2:50 PM, Stuart Martin <smar...@mcs.anl.gov> wrote:
>>
>> Dear All,
>>
>> Globus is planning to change the default client-side algorithm for checking
>> the server’s identity used by GridFTP, MyProxy, GSI-OpenSSH, and GRAM. The
>> new algorithm performs identity matching as described in section 3.1 of RFC
>> 2818 (https://tools.ietf.org/html/rfc2818#section-3.1), the standard
>> describing TLS use with HTTP. This involves a change in the
>> globus-gssapi-gsi library, and will apply to any application that uses the
>> updated library.
>>
>> The new “strict mode” algorithm will be more strict in its enforcement,
>> checking that the server’s certificate identity matches the hostname that
>> the client uses to contact the service. Once clients are configured for
>> strict mode, client authentication (of any Globus service) would fail if the
>> service is using a certificate that does not match the hostname that the
>> client used to contact the service.
>>
>> This change will bring our identity checking algorithm in line with RFC
>> 2818, and will also close the door to reverse DNS lookup related attack
>> vectors. As an example of why relying on reverse DNS for making security
>> related decisions is not recommended, see this link:
>> https://cwe.mitre.org/data/definitions/350.html.
>>
>> The Globus team has checked the host certificates used for a number of
>> GridFTP endpoints and found that many are _not_ RFC 2818 compatible. These
>> incompatible certificates will need to be replaced prior to clients
>> defaulting to the new strict mode algorithm.
>>
>> We are reaching out to request that Globus service admins check their host
>> certificates and update them if necessary. We are asking admins to replace
>> any incompatible certificates by Mar 1, 2016. After March 1, we will
>> release updated Globus Toolkit components that will change the default
>> client authorization algorithm to strict mode. At that time, the Globus.org
>> transfer service will also update its identity checking algorithm. This
>> should ensure no service disruptions for the Globus community.
>>
>> Note: Globus Connect Server installations that use the Globus provided
>> certificate are not affected and do not have to make any changes to their
>> Globus Connect Server endpoint(s).
>>
>> We have created a page where additional details about this change will be
>> communicated:
>> https://docs.globus.org/security-bulletins/2015-12-strict-mode/
>> The above page includes common reasons for incompatibilities and how to
>> check for compatibility.
>>
>> If you have any questions or concerns regarding this planned change, please
>> contact us at supp...@globus.org.
>>
>> - The Globus team
>
