URT:Agenda-19-09-2016

From EGIWiki
Jump to: navigation, search

Contents

Meeting

Calendar: https://indico.egi.eu/indico/categoryDisplay.py?categId=107

News

Status of the products verification/staged rollout

Ready to be Released

UMD-3:

UMD-4:

Under Staged Rollout

In Verification

Report from WLCG MW Officer

NTR

Updates from Technical Providers

dCache

DPM/LFC

We did some tests with DPM-DSI 1.9.8-3 + latest globus compiled with openssl 1.1.0 released in EPEL-testing by Mattias . Everything looks ok

Data management clients

NTR

FTS

NTR

ARC

QCG

Globus

As previously announced, the Globus Toolkit has been updated to work with the recently released OpenSSL 1.1.0. These updates have now been packaged in EPEL.

EPEL 5, 6 and 7 of course have not updated their OpenSSL versions. But in order not to have to maintain different versions of the Globus Toolkit codebase the changes for OpenSSL 1.1.0 have been done in a backward compatible way so that the new code compiles with the older OpenSSL version used in EPEL as well. The support for some really old versions of OpenSSL was dropped.

Some very low level parts of the code required significant changes, since some deprecated APIs in OpenSSL were removed an also because many of openssl's scructs are now opaque and can only be manipulated using setter and getter functions. The API and ABI of the Globus Toolkit libraries should however remain unchanged.

A few points to highlight:

Since all versions of OpenSSL that are now supported by the Globus Toolkit support the proxy certificate info extension, the implementation of this extension in the globus-gsi-proxy-ssl library, i.e. the PROXYCERTINFO type and the associated functions, has been deprecated in favour of the OpenSSL implementation (i.e. the PROXY_CERT_INFO_EXTENSION type). The PROXYCERTINFO type still exists and code that use it and the associated functions will compile (with a warning), and existing binaries will still work.

Another thing to look out for is if you are using the functions

- globus_gsi_proxy_handle_get_proxy_cert_info
- globus_gsi_proxy_handle_set_proxy_cert_info

in the globus-gsi-proxy-core library. These are now implemented using PROXY_CERT_INFO_EXTENSION rather than PROXYCERTINFO. However, both implementations are available in the new library which now uses versioned symbols. This means that existing binaries that were compiled against an older version of the library will still use the PROXYCERTINFO implementation, while new compilations get the PROXY_CERT_INFO_EXTENSION version by default. If you for some reason need the PROXYCERTINFO versions of the functions when compiling against the new library they are available as:

- globus_gsi_proxy_handle_get_proxy_cert_info_proxy_ssl
- globus_gsi_proxy_handle_set_proxy_cert_info_proxy_ssl

In the globus-gssapi-gsi library there is a new implementation of the gss_get_mic and gss_verify_mic functions. Testing has shown these new implementations to not be fully backward compatible, which causes some problems for the gsissh client/server authentication. There is an option in the gsi.conf file whether to use this new implementation or not. For now an update to the package has been created that changes the default back to using the old implementation where possible. However, the old implementation can not be used when building against openssl 1.1.0, so this issue will have to be addressed in the future.

The updates are available in EPEL testing:

Please test and provide feedback.

OpenSSL 1.1.0

OpenSSL 1.1.0 has been proposed for inclusion in Fedora 26: https://fedoraproject.org/wiki/Changes/OpenSSL110

and the transition in Debian unstable will start soon: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827061

xrootd

GridSite

caNl

Preview

New Preview Repository release on Sep 14th:

AOB

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Print/export