Hi, Did this change happen as planned? Is the transition going OK for everyone?
In my role as CA operator, I know we've been issuing a lot of host certs with multiple subjectAltNames in preparation for this transition, so hopefully everyone has the certs they need. -Jim On 2/4/16, 5:21 PM, Stuart Martin wrote: >Hi All, > >Here is a reminder about this deadline and upcoming change. > >Admins should check their host certificates and update them if necessary. > Replace any incompatible certificates by Mar 1, 2016. > >To allow a bit of a buffer between the service-side certificate update >deadline and clients beginning to use strict mode, updates will be made >to the Globus Toolkit to default the client-side algorithm to strict mode >on Tuesday, April 5, 2016. > >- The Globus Team > >> On Dec 1, 2015, at 2:50 PM, Stuart Martin <smar...@mcs.anl.gov> wrote: >> >> Dear All, >> >> Globus is planning to change the default client-side algorithm for >>checking the server¹s identity used by GridFTP, MyProxy, GSI-OpenSSH, >>and GRAM. The new algorithm performs identity matching as described in >>section 3.1 of RFC 2818 >>(https://tools.ietf.org/html/rfc2818#section-3.1), the standard >>describing TLS use with HTTP. This involves a change in the >>globus-gssapi-gsi library, and will apply to any application that uses >>the updated library. >> >> The new ³strict mode² algorithm will be more strict in its enforcement, >>checking that the server¹s certificate identity matches the hostname >>that the client uses to contact the service. Once clients are >>configured for strict mode, client authentication (of any Globus >>service) would fail if the service is using a certificate that does not >>match the hostname that the client used to contact the service. >> >> This change will bring our identity checking algorithm in line with RFC >>2818, and will also close the door to reverse DNS lookup related attack >>vectors. As an example of why relying on reverse DNS for making security >>related decisions is not recommended, see this link: >>https://cwe.mitre.org/data/definitions/350.html. >> >> The Globus team has checked the host certificates used for a number of >>GridFTP endpoints and found that many are _not_ RFC 2818 compatible. >>These incompatible certificates will need to be replaced prior to >>clients defaulting to the new strict mode algorithm. >> >> We are reaching out to request that Globus service admins check their >>host certificates and update them if necessary. We are asking admins to >>replace any incompatible certificates by Mar 1, 2016. After March 1, we >>will release updated Globus Toolkit components that will change the >>default client authorization algorithm to strict mode. At that time, >>the Globus.org transfer service will also update its identity checking >>algorithm. This should ensure no service disruptions for the Globus >>community. >> >> Note: Globus Connect Server installations that use the Globus provided >>certificate are not affected and do not have to make any changes to >>their Globus Connect Server endpoint(s). >> >> We have created a page where additional details about this change will >>be communicated: >> https://docs.globus.org/security-bulletins/2015-12-strict-mode/ >> The above page includes common reasons for incompatibilities and how to >>check for compatibility. >> >> If you have any questions or concerns regarding this planned change, >>please contact us at supp...@globus.org. >> >> - The Globus team
