Bug 1471472 - fedora should maintain openssl 1.0
fedora should maintain openssl 1.0
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: gsi-openssh (Show other bugs)
26
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Mattias Ellert
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-16 04:46 EDT by RudraB
Modified: 2017-08-09 11:58 EDT (History)
1 user (show)

See Also:
Fixed In Version: gsi-openssh-7.5p1-2.fc26
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-09 11:58:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
actual result, gsissh log with f26 build (5.96 KB, text/plain)
2017-07-16 04:46 EDT, RudraB
no flags Details
gsissh log from f25 build (13.66 KB, text/plain)
2017-07-16 04:46 EDT, RudraB
no flags Details

  None (edit)
Description RudraB 2017-07-16 04:46:07 EDT
Created attachment 1299264 [details]
actual result, gsissh log with f26 build

Description of problem:
globus ssh is not working in current openssl1.1.


Version-Release number of selected component (if applicable):
openssl 1.1

How reproducible:
Everytime

Steps to Reproduce:
1. install globus toolkit for fedora 26
2. grid-proxy-init
3. gsissh to server 

Actual results:
the log file is added as gsissh_from_f26

Expected results:
the log file is added as gsissh_from_f25

Additional info:
I am lucky that the globus maintainer is my colleague, so I mailed him personally.
He told me the reason:

"The issue here is that Fedora 26 uses openssl 1.1. The original message
integrity checking (MIC) algorithm used in GSI could not be ported to
openssl 1.1 since it was using information that is now hidden inside
opaque data structures in the new openssl. As part of the porting of
the Globus Toolkit to openssl 1.1, a new MIC algorithm was written
(MICv2) by the Globus Toolkit developers. If you are compiling Globus
against openssl 1.1, only the new MIC is available. When compiling
against openssl 1.0 both are available, and when compiling against the
old openssl 0.9.8 only the old MIC is available.

In the log the server identifies itself as "GSI_GSSAPI_20160606". This
version only supports the old MIC. Support for the new MIC was added in
the version labelled "GSI_GSSAPI_20161122".

So for a client running on Fedora 26, which has openssl 1.1 and
therefore does not support the old MIC, to be able to connect to a
server, the server must run GSI_GSSAPI_20161122 or later, which the
server you are trying to connect to does not do.

I hope you will be able to contact the administrators of the server and
ask them to update the server to a newer version.

The server needs to have openssl 1.0 or later and a Globus Toolkit
version from around November 2016 or later to support the new MIC. I
hope it is not running something really old like RHEL 5, which was
using openssl 0.9.8."

Now, I mailed this to europe wide supercomputer facility(http://www.prace-ri.eu/prace-in-a-few-words/), and from support, I realize that, the upgradation will take time:

Reply 1:
> the Globus Toolkit stack was upgraded to the latest stable release on
> Salomon yesterday (Wednesday May 18th).
> You can try now if your latest version of GT on Fedora with MICv2
> works against it. 
> Salomon uses OpenSSL version openssl-1.0.1e-42.el6_7.4 (coming
> directly from RHEL 6.7) and GT is compiled against it.

And Final:

I'm afraid that we'll have to keep you using the downgraded Globus Toolkit on your system. 
Seems, that the situation will eventually change after we upgrade to RHEL 7, but we'll have to check it then.
Currently we don't plan to upgrade Salomon to RHEL 7.x sooner then next year. 
It mainly depends on the support matrix of our SW/driver stack (we have a combination of the vendors mgmt. system, IB OFED, Intel Phi's MPSS and Lustre).

It is understandable from both Mattias and prace maintainers point. Currently I am living with globus from f25, but it wont be avalable after f27. So, I propose to maintain openssl 1.0 as well.
Comment 1 RudraB 2017-07-16 04:46 EDT
Created attachment 1299266 [details]
gsissh log from f25 build
Comment 2 Fedora Update System 2017-07-31 09:55:17 EDT
gsi-openssh-7.5p1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7c4eceda05
Comment 3 Fedora Update System 2017-07-31 20:25:58 EDT
gsi-openssh-7.5p1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7c4eceda05
Comment 4 Fedora Update System 2017-08-09 11:58:27 EDT
gsi-openssh-7.5p1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.