I just hit a snag updating stargrid04 which will certainly affect the other stargrid machines and likely stargw3.  I applied all available updates ('yum update') though was primarily interested in the kernel update for CVE-2017-1000253 (Linux PIE/stack corruption).  Upon reboot I could not use the gridftp server - in the logs it was complaining about an SSL problem in the connection to the GUMS server:

OpenSSL error queue: dh key too small (function ssl3_check_cert_and_algorithm from SSL routines)

The minimum Diffie-Hillman key length was updated to 1024 in openssl-1.0.2j-2.  (This upgrade on stargrid04 went from openssl-1.0.1e-60.el7_3.1.x86_64 to openssl-1.0.2k-8.el7.x86_64.)

Apparently the key used for the certificate on the gums server is smaller than 1024.  Fortunately, the same openssl update includes a legacy setting to get around this:
 

echo 'MinimumDHBits 768' > /etc/pki/tls/legacy-settings

and voilà, the gridftp server is useable again.  Presumably the need for this legacy setting will go away at some point (hopefully the nest time the gums server's certificate is renewed), and then /etc/pki/tls/legacy-settings should be removed.


This is the exact URL used by the authentication callout:

https://gums.racf.bnl.gov:8443/gums/services/GUMSXACMLAuthorizationServicePort

Here are Red Hat's technical notes on the subject of openssl exceptions for legacy and deprecated features (though specifically written for Red Hat 6, it was useful for stargrid04 with Red Hat 7 also):
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.9_Technical_Notes/chap-Red_Hat_Enterprise_Linux-6.9_Technical_Notes-Deprecated_Functionality.html