kofemann
commented
5 years ago Hm, do we really need to allow TLSv1.1?
https://tools.ietf.org/id/draft-moriarty-tls-oldversions-diediedie-00.html#rfc.section.5
Closed ellert closed 5 years ago
kofemann
commented
5 years ago Hm, do we really need to allow TLSv1.1?
https://tools.ietf.org/id/draft-moriarty-tls-oldversions-diediedie-00.html#rfc.section.5
ellert
commented
5 years ago In order not to disrupt things you need to make this in two steps. First update the software to allow using TLS 1.2, then when (most) sites have updated to a version that supports 1.2 you can change the software to require TLS 1.2. You need to let some time pass between making it possible to use TLS 1.2 and making it impossible to use anything but TLS 1.2.
kofemann
commented
5 years ago The TLS 1.2 is fine, but you are talking about allowing TLS 1.1.
ellert
commented
5 years ago The TLS 1.2 is fine, but you are talking about allowing TLS 1.1.
The PR was based on the patch used in the package build distributed by OSG/WLCG, which simply removed the restriction on what protocols are allowed. I have added additional changes to restrict it to TLS1 and TLS 1.2 only.
jbasney
commented
5 years ago Is this ready to merge? It is needed.
ellert
commented
5 years ago Is this ready to merge? It is needed.
I am not sure who you are asking here. But I would say yes.
kofemann
commented
5 years ago I am not sure who you are asking here. But I would say yes. Ok :)
This makes jglobus compatible with clients that request minimum TLS version 1.2.
This patch is part of the latest OSG/WLCG package build.