You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Joe McDonnell (Jira)" <ji...@apache.org> on 2022/04/12 23:17:00 UTC

[jira] [Created] (IMPALA-11240) Revisit the default value for ssl_cipher_list to eliminate insecure ciphers

Joe McDonnell created IMPALA-11240:
--------------------------------------

             Summary: Revisit the default value for ssl_cipher_list to eliminate insecure ciphers
                 Key: IMPALA-11240
                 URL: https://issues.apache.org/jira/browse/IMPALA-11240
             Project: IMPALA
          Issue Type: Improvement
          Components: Security
    Affects Versions: Impala 4.1.0
            Reporter: Joe McDonnell


The default value for ssl_cipher_list is empty, which uses any cipher supported by the operating system's OpenSSL version. Some older ciphers are known to be weak, and Mozilla's guide to server side SSL settings recommends restricting the SSL ciphers:

[https://wiki.mozilla.org/Security/Server_Side_TLS]

In particular, a curated list based on the intermediate compatibility level seems like a reasonable way to improve security. For example, Kudu restricts SSL ciphers to this list: 

[https://github.com/apache/kudu/blob/master/src/kudu/security/security_flags.cc#L30]
{noformat}
const char* const SecurityDefaults::SecurityDefaults::kDefaultTlsCiphers =
    "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:"
    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:"
    "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";{noformat}
We should consider doing something similar.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org