You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by da...@apache.org on 2017/10/17 01:38:44 UTC
kudu git commit: KUDU-2190: Strengthen default webserver TLS ciphers
Repository: kudu
Updated Branches:
refs/heads/master 29514389a -> 57b8b8fdf
KUDU-2190: Strengthen default webserver TLS ciphers
This commit adds two new advanced flags: 'webserver-tls-ciphers' and
'webserver-tls-min-protocol', which can be configured to change the
webserver's list of available ciphers and TLS protocol version,
respectively. They work exactly the same as the existing
'rpc-tls-ciphers' and 'rpc-tls-min-protocol' flags which apply to KRPC.
In addition, this commit changes the default cipher suite exposed by the
webserver: instead of using the platform's default OpenSSL cipher suite,
which can be insecure on older platforms, it uses the same suite we've
been using succesfully with KRPC.
Testing: there are no automated tests provided, but I have manually
verified that the webserver no longer advertises 3DES and RC4 ciphers
using a script modified from [1].
[1]: https://superuser.com/a/224263
Change-Id: I9169e5dc30ba52251347241dca4c1ca490f581c9
Reviewed-on: http://gerrit.cloudera.org:8080/8286
Reviewed-by: Alexey Serbin <as...@cloudera.com>
Tested-by: Kudu Jenkins
Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/57b8b8fd
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/57b8b8fd
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/57b8b8fd
Branch: refs/heads/master
Commit: 57b8b8fdf33b312ab4a5d70e98dfe5e98a491b17
Parents: 2951438
Author: Dan Burkert <da...@apache.org>
Authored: Mon Oct 16 15:59:30 2017 -0700
Committer: Dan Burkert <da...@apache.org>
Committed: Tue Oct 17 01:38:31 2017 +0000
----------------------------------------------------------------------
src/kudu/server/webserver.cc | 5 +++++
src/kudu/server/webserver_options.cc | 22 ++++++++++++++++++++++
src/kudu/server/webserver_options.h | 2 ++
thirdparty/vars.sh | 2 +-
4 files changed, 30 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/kudu/blob/57b8b8fd/src/kudu/server/webserver.cc
----------------------------------------------------------------------
diff --git a/src/kudu/server/webserver.cc b/src/kudu/server/webserver.cc
index 58a7f8e..4812001 100644
--- a/src/kudu/server/webserver.cc
+++ b/src/kudu/server/webserver.cc
@@ -207,6 +207,11 @@ Status Webserver::Start() {
options.emplace_back("ssl_private_key_password");
options.push_back(key_password); // maybe empty if not configured.
}
+
+ options.emplace_back("ssl_ciphers");
+ options.emplace_back(opts_.tls_ciphers);
+ options.emplace_back("ssl_min_version");
+ options.emplace_back(opts_.tls_min_protocol);
}
if (!opts_.authentication_domain.empty()) {
http://git-wip-us.apache.org/repos/asf/kudu/blob/57b8b8fd/src/kudu/server/webserver_options.cc
----------------------------------------------------------------------
diff --git a/src/kudu/server/webserver_options.cc b/src/kudu/server/webserver_options.cc
index e25ea2a..a0bf92c 100644
--- a/src/kudu/server/webserver_options.cc
+++ b/src/kudu/server/webserver_options.cc
@@ -95,6 +95,26 @@ DEFINE_int32(webserver_port, 0,
"Port to bind to for the web server");
TAG_FLAG(webserver_port, stable);
+DEFINE_string(webserver_tls_ciphers,
+ // See security/tls_context.cc for origin of this list.
+ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:"
+ "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"
+ "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:"
+ "ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:"
+ "ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:"
+ "AES256-GCM-SHA384:AES128-GCM-SHA256:"
+ "AES256-SHA256:AES128-SHA256:"
+ "AES256-SHA:AES128-SHA",
+ "The cipher suite preferences to use for webserver HTTPS connections. "
+ "Uses the OpenSSL cipher preference list format. See man (1) ciphers "
+ "for more information.");
+TAG_FLAG(webserver_tls_ciphers, advanced);
+
+DEFINE_string(webserver_tls_min_protocol, "TLSv1",
+ "The minimum protocol version to allow when for webserver HTTPS "
+ "connections. May be one of 'TLSv1', 'TLSv1.1', or 'TLSv1.2'.");
+TAG_FLAG(webserver_tls_min_protocol, advanced);
+
namespace kudu {
static bool ValidateTlsFlags() {
@@ -135,6 +155,8 @@ WebserverOptions::WebserverOptions()
private_key_password_cmd(FLAGS_webserver_private_key_password_cmd),
authentication_domain(FLAGS_webserver_authentication_domain),
password_file(FLAGS_webserver_password_file),
+ tls_ciphers(FLAGS_webserver_tls_ciphers),
+ tls_min_protocol(FLAGS_webserver_tls_min_protocol),
num_worker_threads(FLAGS_webserver_num_worker_threads) {
}
http://git-wip-us.apache.org/repos/asf/kudu/blob/57b8b8fd/src/kudu/server/webserver_options.h
----------------------------------------------------------------------
diff --git a/src/kudu/server/webserver_options.h b/src/kudu/server/webserver_options.h
index 1d1abb1..b0d2df0 100644
--- a/src/kudu/server/webserver_options.h
+++ b/src/kudu/server/webserver_options.h
@@ -38,6 +38,8 @@ struct WebserverOptions {
std::string private_key_password_cmd;
std::string authentication_domain;
std::string password_file;
+ std::string tls_ciphers;
+ std::string tls_min_protocol;
uint32_t num_worker_threads;
};
http://git-wip-us.apache.org/repos/asf/kudu/blob/57b8b8fd/thirdparty/vars.sh
----------------------------------------------------------------------
diff --git a/thirdparty/vars.sh b/thirdparty/vars.sh
index 4ff2bc4..4451e8a 100644
--- a/thirdparty/vars.sh
+++ b/thirdparty/vars.sh
@@ -93,7 +93,7 @@ RAPIDJSON_SOURCE=$TP_SOURCE_DIR/$RAPIDJSON_NAME
# export NAME=squeasel-$(git rev-parse HEAD)
# git archive HEAD --prefix=$NAME/ -o /tmp/$NAME.tar.gz
# s3cmd put -P /tmp/$NAME.tar.gz s3://cloudera-thirdparty-libs/$NAME.tar.gz
-SQUEASEL_VERSION=c304d3f3481b07bf153979155f02e0aab24d01de
+SQUEASEL_VERSION=9335b81317a6451d5a37c5dc7ec088eecbf68c82
SQUEASEL_NAME=squeasel-$SQUEASEL_VERSION
SQUEASEL_SOURCE=$TP_SOURCE_DIR/$SQUEASEL_NAME