search

DIRACGrid / DIRACOS2

GNU General Public License v3.0
0 stars 9 forks source link

Use OpenSSL 3.0.x #95

Closed chrisburr closed 1 year ago

chrisburr commented 1 year ago

BEGINRELEASENOTES

CHANGE: Use OpenSSL 3.0.0 CHANGE: Use latest mysql client. This will break the use of TLS with servers older than MySQL v5.7.10+ (MariaDB 5.5.41+/MariaDB 10.0.15+). See https://github.com/DIRACGrid/DIRACOS2/pull/95. CHANGE: Use latest arc client libs

ENDRELEASENOTES

fstagni commented 1 year ago

@arrabito @andresailer @hmiyake @atsareg @marianne013 with this PR we will:

We need your "OK" before continuing.

hmiyake commented 1 year ago

For our internal discussion in Belle2, what will be incompatible with v7r2 python3 client?

chrisburr commented 1 year ago

For our internal discussion in Belle2, what will be incompatible with v7r2 python3 client?

Anything involving RPC or proxies (i.e. everything). The fix for it is https://github.com/DIRACGrid/DIRAC/pull/6645.

hmiyake commented 1 year ago

Thank you so much! I understand what will happen with coming DIRACOS2 releases...

arrabito commented 1 year ago

We are using in production rel 8.0.5 so it's fine for us wrt to break v7r2 python3 releases. Concerning DB, it seems that it's also fine for us. We have 2 DB servers with MariaDB 10.6.8 and 1 with MariaDB 10.4.2.

The last point you mentioned is using TLS. How can I check that?

Thank you.

chrisburr commented 1 year ago

The last point you mentioned is using TLS. How can I check that?

@arrabito If you connect with the mysql CLI and run status you should see a line like this if you're using TLS:

SSL:            Cipher in use is TLS_AES_256_GCM_SHA384

You can also check which TLS versions the server is configured to allow using:

mysql> SHOW GLOBAL VARIABLES LIKE 'tls_version';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| tls_version   | TLSv1.2,TLSv1.3 |
+---------------+-----------------+
1 row in set (0.01 sec)
chrisburr commented 1 year ago

Thank you so much! I understand what will happen with coming DIRACOS2 releases...

@hmiyake Does this mean that it's okay for us to break v7r2 support from your perspective? Or would it be preferable to re-open https://github.com/DIRACGrid/DIRAC/pull/6645?

arrabito commented 1 year ago

@chrisburr thank you. So I've just tried and I get:

MariaDB [(none)]> status
--------------
mysql  Ver 15.1 Distrib 5.5.68-MariaDB, for Linux (x86_64) using readline 5.1

Connection id:      140685194
Current database:   
Current user:       cta_dirac@134.158.240.241
SSL:            Not in use
.....

which seems to indicate that we don't use TSL, right?

Even if I also get:

mysql> SHOW GLOBAL VARIABLES LIKE 'tls_version';
+---------------+-------------------------+
| Variable_name | Value                   |
+---------------+-------------------------+
| tls_version   | TLSv1.1,TLSv1.2,TLSv1.3 |
+---------------+-------------------------+
1 row in set (0.01 sec)

Thank you.

hmiyake commented 1 year ago

@chrisburr No, that was not final answer to your original question...just wanted to consider our solutions. I've informed this situation and possible scenario to my colleagues...could you wait a bit? At the latest we will answer during next week.

If re-open of #6645 is one of the options, that's reassuring...of course it should be a kind of last resort...for example when severe security issue occurs in existing DIRACOS2...

By the way, when is the earliest date do you switch to OpenSSL3? Just after all VOs agreed?

chrisburr commented 1 year ago

@arrabito Yup, that looks all good so you shouldn't have any issues. Thanks for checking! 😄

chrisburr commented 1 year ago

By the way, when is the earliest date do you switch to OpenSSL3? Just after all VOs agreed?

As soon as possible. Since yesterday conda-forge is no longer building against OpenSSL 3 so we can't update any packages until we switch.

hmiyake commented 1 year ago

I'm sorry to have kept you waiting...we concluded to give a green light to drop v7r2 support from DIRACOS2.

Just for sure, do you think if we can deploy v7r2 with existing DIRACOS2 (i.e. 2.31-), even after OpenSSL3 DIRACOS2 is released? Naively we can take the package from https://github.com/DIRACGrid/DIRACOS2/releases, but I wonder if we have any pitfall...

In any case, we agreed to move on supported v7.3 and v8.0 as soon as possible.

chrisburr commented 1 year ago

Thanks for looking into it and confirming 😄

Naively we can take the package from https://github.com/DIRACGrid/DIRACOS2/releases, but I wonder if we have any pitfall...

Yes you can, the only catch is that you're stuck on the current release. (Though you could use micromamba to change versions of specific packages if you really needed to.)

hmiyake commented 1 year ago

Thank you for prompt confirmation! I see, then we will use 2.30 by default...