Friday, December 6, 2013

OpenSSL 1.0.1e linked to GSI failures

In the last week or so, the RHEL 6, CentOS 6, Scientific Linux 6 (collectively, “EL6”) OS repositories have updated to the 6.5 release. One significant change is that OpenSSL was updated from version 1.0.0 to 1.0.1e. The OSG Software team has found that the Globus security layer (GSI) does not seem to work with this new OpenSSL release. Thus, common commands including globus-job-run and globus-url-copy fail. The failure occurs with the Globus Toolkit available from the OSG as well as the newer release available in EPEL.

The OSG team has not found the root cause of the problem yet and are still investigating. The Globus Toolkit team has been notified, as well. In the meantime, we suggest that OSG sites do NOT update to OpenSSL 1.0.1e, in case doing so causes site-wide authentication failures. The easiest way to avoid OpenSSL 1.0.1e is to avoid upgrading to version 6.5 of the operating system.

We will send out more information as soon as it is available.