diff -Nru jglobus-2.1.0/debian/changelog jglobus-2.1.0/debian/changelog --- jglobus-2.1.0/debian/changelog 2018-11-04 04:21:39.000000000 +0000 +++ jglobus-2.1.0/debian/changelog 2019-02-20 09:52:34.000000000 +0000 @@ -1,3 +1,11 @@ +jglobus (2.1.0-8) unstable; urgency=medium + + * Only allow TLSv1 and TLSv1.2 (not TLSv1.1) + * Remove unused FORCE_SSLV3_AND_CONSTRAIN_CIPHERSUITES_FOR_GRAM + * Adapt to changes in bouncycastle 1.61 + + -- Mattias Ellert Wed, 20 Feb 2019 10:52:34 +0100 + jglobus (2.1.0-7) unstable; urgency=medium * Apply patches from OSG/WLCG diff -Nru jglobus-2.1.0/debian/control jglobus-2.1.0/debian/control --- jglobus-2.1.0/debian/control 2018-11-04 04:21:39.000000000 +0000 +++ jglobus-2.1.0/debian/control 2019-02-20 09:52:34.000000000 +0000 @@ -3,7 +3,7 @@ Priority: optional Maintainer: Mattias Ellert Build-Depends: debhelper (>= 9), maven-debian-helper (>= 2.2), libmaven-compiler-plugin-java, libmaven-javadoc-plugin-java, libsurefire-java, junit4, libcommons-codec-java, libcommons-httpclient-java, libcommons-io-java, libcommons-logging-java, libbcprov-java (>= 1.47), libhttpclient-java, liblog4j1.2-java, libaxis-java, libservlet3.1-java -Standards-Version: 4.2.1 +Standards-Version: 4.3.0 Vcs-Browser: https://salsa.debian.org/ellert/jglobus Vcs-Git: https://salsa.debian.org/ellert/jglobus.git Homepage: https://github.com/jglobus/ diff -Nru jglobus-2.1.0/debian/copyright jglobus-2.1.0/debian/copyright --- jglobus-2.1.0/debian/copyright 2018-03-28 21:19:56.000000000 +0000 +++ jglobus-2.1.0/debian/copyright 2019-02-20 09:52:34.000000000 +0000 @@ -42,7 +42,7 @@ all times remain with copyright holders. Files: debian/* -Copyright: 2012-2018 Mattias Ellert +Copyright: 2012-2019 Mattias Ellert License: Apache-2.0 License: Apache-2.0 diff -Nru jglobus-2.1.0/debian/patches/jglobus-adapt-to-changes-in-PrivateKeyInfo-class.patch jglobus-2.1.0/debian/patches/jglobus-adapt-to-changes-in-PrivateKeyInfo-class.patch --- jglobus-2.1.0/debian/patches/jglobus-adapt-to-changes-in-PrivateKeyInfo-class.patch 1970-01-01 00:00:00.000000000 +0000 +++ jglobus-2.1.0/debian/patches/jglobus-adapt-to-changes-in-PrivateKeyInfo-class.patch 2019-02-10 07:28:10.000000000 +0000 @@ -0,0 +1,27 @@ +From 56107f807a4f2d1c4430e68cbfa883dbff926c70 Mon Sep 17 00:00:00 2001 +From: Mattias Ellert +Date: Fri, 8 Feb 2019 17:09:49 +0100 +Subject: [PATCH] Adapt to changes in PrivateKeyInfo class + +--- + .../main/java/org/globus/gsi/bc/BouncyCastleOpenSSLKey.java | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleOpenSSLKey.java b/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleOpenSSLKey.java +index e7a7ede..ed62523 100644 +--- a/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleOpenSSLKey.java ++++ b/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleOpenSSLKey.java +@@ -152,8 +152,8 @@ public class BouncyCastleOpenSSLKey extends OpenSSLKey { + try { + ASN1Primitive keyInfo = BouncyCastleUtil.toASN1Primitive(key + .getEncoded()); +- PrivateKeyInfo pkey = new PrivateKeyInfo((ASN1Sequence) keyInfo); +- ASN1Primitive derKey = pkey.getPrivateKey(); ++ PrivateKeyInfo pkey = PrivateKeyInfo.getInstance(keyInfo); ++ ASN1Primitive derKey = pkey.parsePrivateKey().toASN1Primitive(); + return BouncyCastleUtil.toByteArray(derKey); + } catch (IOException e) { + // that should never happen +-- +2.20.1 + diff -Nru jglobus-2.1.0/debian/patches/jglobus-only-allow-TLSv1-and-TLSv1.2-not-TLSv1.1.patch jglobus-2.1.0/debian/patches/jglobus-only-allow-TLSv1-and-TLSv1.2-not-TLSv1.1.patch --- jglobus-2.1.0/debian/patches/jglobus-only-allow-TLSv1-and-TLSv1.2-not-TLSv1.1.patch 1970-01-01 00:00:00.000000000 +0000 +++ jglobus-2.1.0/debian/patches/jglobus-only-allow-TLSv1-and-TLSv1.2-not-TLSv1.1.patch 2019-02-10 07:28:10.000000000 +0000 @@ -0,0 +1,38 @@ +From b63db173f3c4c878cc2b564be668f5897a1d0d25 Mon Sep 17 00:00:00 2001 +From: Mattias Ellert +Date: Mon, 12 Nov 2018 09:36:12 +0100 +Subject: [PATCH 1/2] Only allow TLSv1 and TLSv1.2 (not TLSv1.1) + +--- + .../main/java/org/globus/gsi/gssapi/GlobusGSSContextImpl.java | 2 ++ + myproxy/src/main/java/org/globus/myproxy/MyProxy.java | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/gss/src/main/java/org/globus/gsi/gssapi/GlobusGSSContextImpl.java b/gss/src/main/java/org/globus/gsi/gssapi/GlobusGSSContextImpl.java +index 61734ce..48d23cc 100644 +--- a/gss/src/main/java/org/globus/gsi/gssapi/GlobusGSSContextImpl.java ++++ b/gss/src/main/java/org/globus/gsi/gssapi/GlobusGSSContextImpl.java +@@ -1301,6 +1301,8 @@ done: do { + throw new GlobusGSSException(GSSException.FAILURE, e); + } + ++ this.sslEngine.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.2"}); ++ + logger.debug("SUPPORTED PROTOCOLS: " + + Arrays.toString(this.sslEngine.getSupportedProtocols()) + + "; ENABLED PROTOCOLS: " + +diff --git a/myproxy/src/main/java/org/globus/myproxy/MyProxy.java b/myproxy/src/main/java/org/globus/myproxy/MyProxy.java +index 359776b..33cbee6 100644 +--- a/myproxy/src/main/java/org/globus/myproxy/MyProxy.java ++++ b/myproxy/src/main/java/org/globus/myproxy/MyProxy.java +@@ -1170,6 +1170,7 @@ public class MyProxy { + sc.init(null, trustAllCerts, new java.security.SecureRandom()); + SSLSocketFactory sf = sc.getSocketFactory(); + SSLSocket socket = (SSLSocket)sf.createSocket(this.host, this.port); ++ socket.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.2"}); + socket.startHandshake(); + socket.close(); + +-- +2.19.1 + diff -Nru jglobus-2.1.0/debian/patches/jglobus-remove-unused-FORCE_SSLV3_AND_CONSTRAIN_CIPHERSUITES.patch jglobus-2.1.0/debian/patches/jglobus-remove-unused-FORCE_SSLV3_AND_CONSTRAIN_CIPHERSUITES.patch --- jglobus-2.1.0/debian/patches/jglobus-remove-unused-FORCE_SSLV3_AND_CONSTRAIN_CIPHERSUITES.patch 1970-01-01 00:00:00.000000000 +0000 +++ jglobus-2.1.0/debian/patches/jglobus-remove-unused-FORCE_SSLV3_AND_CONSTRAIN_CIPHERSUITES.patch 2019-02-10 07:28:10.000000000 +0000 @@ -0,0 +1,124 @@ +From f7b8c123e2cec8f0f8601d0c5b63a17821d9d9bc Mon Sep 17 00:00:00 2001 +From: Mattias Ellert +Date: Mon, 12 Nov 2018 10:02:07 +0100 +Subject: [PATCH 2/2] Remove unused + FORCE_SSLV3_AND_CONSTRAIN_CIPHERSUITES_FOR_GRAM option This has not been in + use since commit c9eeba1 (Jan 2011) + +--- + .../org/globus/gsi/gssapi/GSSConstants.java | 9 ---- + .../gsi/gssapi/GlobusGSSContextImpl.java | 42 +++---------------- + 2 files changed, 5 insertions(+), 46 deletions(-) + +diff --git a/gss/src/main/java/org/globus/gsi/gssapi/GSSConstants.java b/gss/src/main/java/org/globus/gsi/gssapi/GSSConstants.java +index cd1e9ed..15d85e7 100644 +--- a/gss/src/main/java/org/globus/gsi/gssapi/GSSConstants.java ++++ b/gss/src/main/java/org/globus/gsi/gssapi/GSSConstants.java +@@ -107,13 +107,6 @@ public abstract class GSSConstants { + */ + public static final Oid AUTHZ_REQUIRED_WITH_DELEGATION; + +- /** Context option. It is set to a Boolean value and if true, +- * the GSI/GSSAPI layer will force the underlying SSL/TLS to +- * use SSLv3 and a narrow set of cipher suites so communication +- * with GRAM servers can succeed. +- */ +- public static final Oid FORCE_SSLV3_AND_CONSTRAIN_CIPHERSUITES_FOR_GRAM; +- + /** Quality-of-Protection (QOP) value, indicates large block size support. + * Can be passed to wrap or set by unwrap + * methods */ +@@ -139,8 +132,6 @@ public abstract class GSSConstants { + RECEIVED_LIMITED_PROXY = new Oid("1.3.6.1.4.1.3536.1.1.21"); + AUTHZ_REQUIRED_WITH_DELEGATION = + new Oid("1.3.6.1.4.1.3536.1.1.22"); +- FORCE_SSLV3_AND_CONSTRAIN_CIPHERSUITES_FOR_GRAM = +- new Oid("1.3.6.1.4.1.3536.1.1.23"); + } catch (Exception e) { + throw new RuntimeException(e.getMessage()); + } +diff --git a/gss/src/main/java/org/globus/gsi/gssapi/GlobusGSSContextImpl.java b/gss/src/main/java/org/globus/gsi/gssapi/GlobusGSSContextImpl.java +index 48d23cc..d31662e 100644 +--- a/gss/src/main/java/org/globus/gsi/gssapi/GlobusGSSContextImpl.java ++++ b/gss/src/main/java/org/globus/gsi/gssapi/GlobusGSSContextImpl.java +@@ -142,13 +142,6 @@ public class GlobusGSSContextImpl implements ExtendedGSSContext { + private static final String [] NO_ENCRYPTION = + {"SSL_RSA_WITH_NULL_SHA", "SSL_RSA_WITH_NULL_MD5"}; + +- // TODO: Delete these once GRAM server is fixed and we no longer +- // would be talking to old GRAM servers. +- private static final String [] GRAM_ENCRYPTION_CIPHER_SUITES = +- {"SSL_RSA_WITH_3DES_EDE_CBC_SHA"}; +- private static final String [] GRAM_NO_ENCRYPTION_CIPHER_SUITES = +- {"SSL_RSA_WITH_NULL_SHA"}; +- + private static final byte[] DELEGATION_TOKEN = new byte[] {GSIConstants.DELEGATION_CHAR}; + + private static final int +@@ -212,8 +205,6 @@ public class GlobusGSSContextImpl implements ExtendedGSSContext { + protected Boolean requireClientAuth = Boolean.TRUE; + protected Boolean acceptNoClientCerts = Boolean.FALSE; + protected Boolean requireAuthzWithDelegation = Boolean.TRUE; +- protected Boolean forceSSLv3AndConstrainCipherSuitesForGram = +- Boolean.FALSE; + + // *** implementation-specific variables *** + +@@ -1310,20 +1301,12 @@ done: do { + + ArrayList cs = new ArrayList(); + if (this.encryption) { +- if (this.forceSSLv3AndConstrainCipherSuitesForGram.booleanValue()) +- for (String cipherSuite : GRAM_ENCRYPTION_CIPHER_SUITES) +- cs.add(cipherSuite); +- else // Simply retain the default-enabled Cipher Suites +- cs.addAll(Arrays.asList(this.sslEngine.getEnabledCipherSuites())); ++ // Simply retain the default-enabled Cipher Suites ++ cs.addAll(Arrays.asList(this.sslEngine.getEnabledCipherSuites())); + } else { +- if (this.forceSSLv3AndConstrainCipherSuitesForGram.booleanValue()) +- for (String cipherSuite : GRAM_NO_ENCRYPTION_CIPHER_SUITES) +- cs.add(cipherSuite); +- else { +- for (String cipherSuite : NO_ENCRYPTION) +- cs.add(cipherSuite); +- cs.addAll(Arrays.asList(this.sslEngine.getEnabledCipherSuites())); +- } ++ for (String cipherSuite : NO_ENCRYPTION) ++ cs.add(cipherSuite); ++ cs.addAll(Arrays.asList(this.sslEngine.getEnabledCipherSuites())); + } + cs.removeAll(Arrays.asList(bannedCiphers)); + String[] testSuite = new String[0]; +@@ -2225,18 +2208,6 @@ done: do { + this.acceptNoClientCerts = (Boolean)value; + } + +- protected void setForceSslV3AndConstrainCipherSuitesForGram( +- Object value) +- throws GSSException { +- if (!(value instanceof Boolean)) { +- throw new GlobusGSSException(GSSException.FAILURE, +- GlobusGSSException.BAD_OPTION_TYPE, +- "badType", +- new Object[] {"adjust cipher suites for GRAM", Boolean.class}); +- } +- this.forceSSLv3AndConstrainCipherSuitesForGram = (Boolean)value; +- } +- + /*DEL + protected void setGrimPolicyHandler(Object value) + throws GSSException { +@@ -2319,9 +2290,6 @@ done: do { + } else if (option.equals(GSSConstants + .AUTHZ_REQUIRED_WITH_DELEGATION)) { + setRequireAuthzWithDelegation(value); +- } else if (option.equals(GSSConstants +- .FORCE_SSLV3_AND_CONSTRAIN_CIPHERSUITES_FOR_GRAM)) { +- setForceSslV3AndConstrainCipherSuitesForGram(value); + } else { + throw new GlobusGSSException(GSSException.FAILURE, + GlobusGSSException.UNKNOWN_OPTION, +-- +2.19.1 + diff -Nru jglobus-2.1.0/debian/patches/series jglobus-2.1.0/debian/patches/series --- jglobus-2.1.0/debian/patches/series 2018-11-04 04:15:55.000000000 +0000 +++ jglobus-2.1.0/debian/patches/series 2019-02-20 09:52:34.000000000 +0000 @@ -35,3 +35,15 @@ # https://github.com/jglobus/JGlobus/issues/146 # https://github.com/jglobus/JGlobus/pull/164 jglobus-support-PKCS8-key-format.patch + +# Only allow TLSv1 and TLSv1.2 (not TLSv1.1) +# https://github.com/jglobus/JGlobus/pull/166 +jglobus-only-allow-TLSv1-and-TLSv1.2-not-TLSv1.1.patch + +# Remove unused FORCE_SSLV3_AND_CONSTRAIN_CIPHERSUITES_FOR_GRAM +# https://github.com/jglobus/JGlobus/pull/166 +jglobus-remove-unused-FORCE_SSLV3_AND_CONSTRAIN_CIPHERSUITES.patch + +# Adapt to changes in bouncycastle 1.61 +# https://github.com/jglobus/JGlobus/pull/168 +jglobus-adapt-to-changes-in-PrivateKeyInfo-class.patch