You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@impala.apache.org by "Zoltan Borok-Nagy (Code Review)" <ge...@cloudera.org> on 2022/04/05 10:08:34 UTC
[native-toolchain-CR](CDH-7.1.8.x) IMPALA-11195: Disable SSL session renegotiation
Zoltan Borok-Nagy has uploaded this change for review. ( http://gerrit.cloudera.org:8080/18382
Change subject: IMPALA-11195: Disable SSL session renegotiation
......................................................................
IMPALA-11195: Disable SSL session renegotiation
This patch disables TLS ciphers renegotiation for TLSv1.2 and prior
protocol versions. Renegotiation is not possible in a TLSv1.3
connection.
In case of OpenSSL version 1.1.0h and newer, we are
using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations. In
case of OpenSSL version prior to 1.1.0a, the undocumented flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used.
The moot point is the version interval between 1.1.0a and 1.1.0g
(inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer
available from the application side, but SSL_OP_NO_RENEGOTIATION is not
yet present. So, if a server binary has been compiled with OpenSSL in
the specified version range, it's still advertising the renegotiation
option, even if it's run against OpenSSL 1.1.0h or later versions.
Change-Id: If3e12b6394134daf9c936268d4e60da6b4f3804e
(cherry picked from commit be219b7c627f2db31c1928ee079160a2855ad3df)
---
M buildall.sh
A source/thrift/thrift-0.11.0-patches/0003-THRIFT-2087-Python-compiler-replace-non-utf-8-char-w.patch
A source/thrift/thrift-0.11.0-patches/0004-THRIFT-5303-Fix-missing-error-handling-in-using-PyUn.patch
A source/thrift/thrift-0.11.0-patches/0005-IMPALA-11195-Disable-SSL-renegotiations.patch
A source/thrift/thrift-0.9.3-patches/0009-IMPALA-11195-Disable-SSL-renegotiations.patch
5 files changed, 165 insertions(+), 2 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/native-toolchain refs/changes/82/18382/1
--
To view, visit http://gerrit.cloudera.org:8080/18382
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: native-toolchain
Gerrit-Branch: CDH-7.1.8.x
Gerrit-MessageType: newchange
Gerrit-Change-Id: If3e12b6394134daf9c936268d4e60da6b4f3804e
Gerrit-Change-Number: 18382
Gerrit-PatchSet: 1
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
[native-toolchain-CR](CDH-7.1.8.x) IMPALA-11195: Disable SSL session renegotiation
Posted by "Zoltan Borok-Nagy (Code Review)" <ge...@cloudera.org>.
Zoltan Borok-Nagy has posted comments on this change. ( http://gerrit.cloudera.org:8080/18382 )
Change subject: IMPALA-11195: Disable SSL session renegotiation
......................................................................
Patch Set 2: Verified+1
The internal build job has succeeded with this fix.
--
To view, visit http://gerrit.cloudera.org:8080/18382
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: native-toolchain
Gerrit-Branch: CDH-7.1.8.x
Gerrit-MessageType: comment
Gerrit-Change-Id: If3e12b6394134daf9c936268d4e60da6b4f3804e
Gerrit-Change-Number: 18382
Gerrit-PatchSet: 2
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Laszlo Gaal (Cloudera) <la...@cloudera.com>
Gerrit-Reviewer: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Comment-Date: Wed, 06 Apr 2022 12:00:41 +0000
Gerrit-HasComments: No
[native-toolchain-CR](CDH-7.1.8.x) IMPALA-11195: Disable SSL session renegotiation
Posted by "Zoltan Borok-Nagy (Code Review)" <ge...@cloudera.org>.
Zoltan Borok-Nagy has uploaded a new patch set (#2). ( http://gerrit.cloudera.org:8080/18382 )
Change subject: IMPALA-11195: Disable SSL session renegotiation
......................................................................
IMPALA-11195: Disable SSL session renegotiation
This patch disables TLS ciphers renegotiation for TLSv1.2 and prior
protocol versions. Renegotiation is not possible in a TLSv1.3
connection. Addditonally it also brings Thrift 11 patches already
existing in native-toolchain/master so
0005-IMPALA-11195-Disable-SSL-renegotiations.patch applies in a
clean way and there's no inconsistency between the branches.
In case of OpenSSL version 1.1.0h and newer, we are
using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations. In
case of OpenSSL version prior to 1.1.0a, the undocumented flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used.
The moot point is the version interval between 1.1.0a and 1.1.0g
(inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer
available from the application side, but SSL_OP_NO_RENEGOTIATION is not
yet present. So, if a server binary has been compiled with OpenSSL in
the specified version range, it's still advertising the renegotiation
option, even if it's run against OpenSSL 1.1.0h or later versions.
Change-Id: If3e12b6394134daf9c936268d4e60da6b4f3804e
(cherry picked from commit be219b7c627f2db31c1928ee079160a2855ad3df)
---
M buildall.sh
A source/thrift/thrift-0.11.0-patches/0003-THRIFT-2087-Python-compiler-replace-non-utf-8-char-w.patch
A source/thrift/thrift-0.11.0-patches/0004-THRIFT-5303-Fix-missing-error-handling-in-using-PyUn.patch
A source/thrift/thrift-0.11.0-patches/0005-IMPALA-11195-Disable-SSL-renegotiations.patch
A source/thrift/thrift-0.9.3-patches/0009-IMPALA-11195-Disable-SSL-renegotiations.patch
5 files changed, 165 insertions(+), 2 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/native-toolchain refs/changes/82/18382/2
--
To view, visit http://gerrit.cloudera.org:8080/18382
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: native-toolchain
Gerrit-Branch: CDH-7.1.8.x
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: If3e12b6394134daf9c936268d4e60da6b4f3804e
Gerrit-Change-Number: 18382
Gerrit-PatchSet: 2
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
[native-toolchain-CR](CDH-7.1.8.x) IMPALA-11195: Disable SSL session renegotiation
Posted by "Zoltan Borok-Nagy (Code Review)" <ge...@cloudera.org>.
Zoltan Borok-Nagy has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/18382 )
Change subject: IMPALA-11195: Disable SSL session renegotiation
......................................................................
IMPALA-11195: Disable SSL session renegotiation
This patch disables TLS ciphers renegotiation for TLSv1.2 and prior
protocol versions. Renegotiation is not possible in a TLSv1.3
connection. Addditonally it also brings Thrift 11 patches already
existing in native-toolchain/master so
0005-IMPALA-11195-Disable-SSL-renegotiations.patch applies in a
clean way and there's no inconsistency between the branches.
In case of OpenSSL version 1.1.0h and newer, we are
using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations. In
case of OpenSSL version prior to 1.1.0a, the undocumented flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used.
The moot point is the version interval between 1.1.0a and 1.1.0g
(inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer
available from the application side, but SSL_OP_NO_RENEGOTIATION is not
yet present. So, if a server binary has been compiled with OpenSSL in
the specified version range, it's still advertising the renegotiation
option, even if it's run against OpenSSL 1.1.0h or later versions.
Change-Id: If3e12b6394134daf9c936268d4e60da6b4f3804e
(cherry picked from commit be219b7c627f2db31c1928ee079160a2855ad3df)
Reviewed-on: http://gerrit.cloudera.org:8080/18382
Tested-by: Zoltan Borok-Nagy <bo...@cloudera.com>
Reviewed-by: Joe McDonnell <jo...@cloudera.com>
---
M buildall.sh
A source/thrift/thrift-0.11.0-patches/0003-THRIFT-2087-Python-compiler-replace-non-utf-8-char-w.patch
A source/thrift/thrift-0.11.0-patches/0004-THRIFT-5303-Fix-missing-error-handling-in-using-PyUn.patch
A source/thrift/thrift-0.11.0-patches/0005-IMPALA-11195-Disable-SSL-renegotiations.patch
A source/thrift/thrift-0.9.3-patches/0009-IMPALA-11195-Disable-SSL-renegotiations.patch
5 files changed, 165 insertions(+), 2 deletions(-)
Approvals:
Zoltan Borok-Nagy: Verified
Joe McDonnell: Looks good to me, approved
--
To view, visit http://gerrit.cloudera.org:8080/18382
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: native-toolchain
Gerrit-Branch: CDH-7.1.8.x
Gerrit-MessageType: merged
Gerrit-Change-Id: If3e12b6394134daf9c936268d4e60da6b4f3804e
Gerrit-Change-Number: 18382
Gerrit-PatchSet: 3
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Laszlo Gaal (Cloudera) <la...@cloudera.com>
Gerrit-Reviewer: Zoltan Borok-Nagy <bo...@cloudera.com>
[native-toolchain-CR](CDH-7.1.8.x) IMPALA-11195: Disable SSL session renegotiation
Posted by "Joe McDonnell (Code Review)" <ge...@cloudera.org>.
Joe McDonnell has posted comments on this change. ( http://gerrit.cloudera.org:8080/18382 )
Change subject: IMPALA-11195: Disable SSL session renegotiation
......................................................................
Patch Set 2: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/18382
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: native-toolchain
Gerrit-Branch: CDH-7.1.8.x
Gerrit-MessageType: comment
Gerrit-Change-Id: If3e12b6394134daf9c936268d4e60da6b4f3804e
Gerrit-Change-Number: 18382
Gerrit-PatchSet: 2
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Laszlo Gaal (Cloudera) <la...@cloudera.com>
Gerrit-Reviewer: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Comment-Date: Wed, 06 Apr 2022 21:16:15 +0000
Gerrit-HasComments: No