Red Hat Bugzilla – Bug 1471472
fedora should maintain openssl 1.0
Last modified: 2017-08-09 11:58:27 EDT
Created attachment 1299264 [details]
actual result, gsissh log with f26 build
Description of problem:
globus ssh is not working in current openssl1.1.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. install globus toolkit for fedora 26
3. gsissh to server
the log file is added as gsissh_from_f26
the log file is added as gsissh_from_f25
I am lucky that the globus maintainer is my colleague, so I mailed him personally.
He told me the reason:
"The issue here is that Fedora 26 uses openssl 1.1. The original message
integrity checking (MIC) algorithm used in GSI could not be ported to
openssl 1.1 since it was using information that is now hidden inside
opaque data structures in the new openssl. As part of the porting of
the Globus Toolkit to openssl 1.1, a new MIC algorithm was written
(MICv2) by the Globus Toolkit developers. If you are compiling Globus
against openssl 1.1, only the new MIC is available. When compiling
against openssl 1.0 both are available, and when compiling against the
old openssl 0.9.8 only the old MIC is available.
In the log the server identifies itself as "GSI_GSSAPI_20160606". This
version only supports the old MIC. Support for the new MIC was added in
the version labelled "GSI_GSSAPI_20161122".
So for a client running on Fedora 26, which has openssl 1.1 and
therefore does not support the old MIC, to be able to connect to a
server, the server must run GSI_GSSAPI_20161122 or later, which the
server you are trying to connect to does not do.
I hope you will be able to contact the administrators of the server and
ask them to update the server to a newer version.
The server needs to have openssl 1.0 or later and a Globus Toolkit
version from around November 2016 or later to support the new MIC. I
hope it is not running something really old like RHEL 5, which was
using openssl 0.9.8."
Now, I mailed this to europe wide supercomputer facility(http://www.prace-ri.eu/prace-in-a-few-words/), and from support, I realize that, the upgradation will take time:
> the Globus Toolkit stack was upgraded to the latest stable release on
> Salomon yesterday (Wednesday May 18th).
> You can try now if your latest version of GT on Fedora with MICv2
> works against it.
> Salomon uses OpenSSL version openssl-1.0.1e-42.el6_7.4 (coming
> directly from RHEL 6.7) and GT is compiled against it.
I'm afraid that we'll have to keep you using the downgraded Globus Toolkit on your system.
Seems, that the situation will eventually change after we upgrade to RHEL 7, but we'll have to check it then.
Currently we don't plan to upgrade Salomon to RHEL 7.x sooner then next year.
It mainly depends on the support matrix of our SW/driver stack (we have a combination of the vendors mgmt. system, IB OFED, Intel Phi's MPSS and Lustre).
It is understandable from both Mattias and prace maintainers point. Currently I am living with globus from f25, but it wont be avalable after f27. So, I propose to maintain openssl 1.0 as well.
Created attachment 1299266 [details]
gsissh log from f25 build
gsi-openssh-7.5p1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7c4eceda05
gsi-openssh-7.5p1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7c4eceda05
gsi-openssh-7.5p1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.