OpenBIS change of minimal TLS version required for connections

From ScientificComputing
Jump to: navigation, search

Introduction

On the Euler cluster, users can use the PyBIS package to connect to OpenBIS instances. PyBIS uses OpenSSL to establish a connection to OpenBIS and it uses the TLS protocol for this. Since today, OpenBIS has a requirement that only connections with TLS 1.3 are accepted (older TLS versions are no longer supported). The default OpenSSL library on Euler does only support up to TLS 1.2 and therefore almost all versions of PyBIS cannot connect to OpenBIS any more.

Workaround

The most recent Python installation on Euler (3.10.4) was built with the newer OpenSSL version provided by CentOS 7.9, which supports TLS 1.3. It has PyBIS 1.32.0 installed (https://scicomp.ethz.ch/wiki/Python_on_Euler#python_gpu.2F3.10.4)

module load gcc/8.2.0 python/3.10.4

All older Python installations can only use TLS 1.2. Therefore if you are using PyBIS on Euler, then please migrate your workflow to Python 3.10.4.

Updates

The requirement for the TLS version for connections to OpenBIS has been relaxed. TLS 1.2 and 1.3 are now supported. Therefore all PyBIS installations on Euler should again work.