/etc/grid-security/gsi.conf is in libglobus-gssapi-gsi4 11.26-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | # Flag to choose SSL or TLS for GSSAPI protocol.
# Set to true to disable SSLv3, or false to allow either to be
# negotiated. The value of the GLOBUS_GSSAPI_FORCE_TLS environment
# variable overrides this
FORCE_TLS=false
# GSSAPI Name compatiblity mode when trying to determine
# if a host certificate is legitimate. GSI predates RFC2818,
# so there are some old, less-secure, practices by default.
# The different modes are:
# STRICT_GT2:
# Strictly backward-compatible with GT 2.0 name matching.
# X.509 subjectAltName values are ignored. Names with
# hyphens are treated as wildcarded such that
# host-ANYTHING.example.com will match a certificate named
# host.example.com. The name matching will rely on canonical
# host (as resolved via getnameinfo) name associated with
# a connection's IP addresses.
# STRICT_RFC2818:
# Support RFC 2818 server identity processing. Hyphen
# characters are treated as normal part of a host name.
# dnsName and ipAddress subjectAltName extensions are matched
# against the host and port passed to GSSAPI. If subjectAltName
# is present, X.509 SubjectName is ignored.
# HYBRID:
# Support a hybrid of the two previous name matching algorithms,
# liberally matching both hyphen wildcards, canonical names
# associated with IP addresses, and subjectAltName extensions.
# This has been the default since GT 4.2
NAME_COMPATIBILITY=HYBRID
# OpenSSL Cipher List. This is an preference-ordered list of OpenSSL cipher
# names.
CIPHERS=HIGH
# If true, when choosing a cipher, a server will use its own preferred
# order instead of the cipher order presented by the client. When not set, the
# SSL server will always follow the clients preferences.
SERVER_CIPHER_ORDER=true
|