You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by bo...@apache.org on 2022/03/25 15:00:40 UTC
[impala] 03/03: IMPALA-11195 (part 1): Disable SSL session renegotiations in the web server
This is an automated email from the ASF dual-hosted git repository.
boroknagyz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
commit 0dce419dbd073257d2352e556642f6239a76bb9b
Author: Zoltan Borok-Nagy <bo...@cloudera.com>
AuthorDate: Wed Mar 23 19:28:34 2022 +0100
IMPALA-11195 (part 1): Disable SSL session renegotiations in the web server
SSL renegotiation has had a couple of CVEs in the past. This patch
disables TLS ciphers renegotiation for TLSv1.2 and prior protocol
versions in the Impala web server. Renegotiation is not possible in
a TLSv1.3 connection. Disabling renegotiations on the Thrift servers
require Thrift-side changes, hence this is handled in the
native-toolchain.
This change is based on KUDU-1926.
In case of OpenSSL version 1.1.0h and newer, we are
using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations. In
case of OpenSSL version prior to 1.1.0a, the undocumented flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used.
The moot point is the version interval between 1.1.0a and 1.1.0g
(inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer
available from the application side, but SSL_OP_NO_RENEGOTIATION is not
yet present. So, if a server binary has been compiled with OpenSSL in
the specified version range, it's still advertising the renegotiation
option, even if it's run against OpenSSL 1.1.0h or later versions.
Change-Id: I1afbd6dfcad6b8fbc2e82763222996fabba207cf
Reviewed-on: http://gerrit.cloudera.org:8080/18346
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
be/src/thirdparty/squeasel/squeasel.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/be/src/thirdparty/squeasel/squeasel.c b/be/src/thirdparty/squeasel/squeasel.c
index d716783..40659ec 100644
--- a/be/src/thirdparty/squeasel/squeasel.c
+++ b/be/src/thirdparty/squeasel/squeasel.c
@@ -3789,6 +3789,13 @@ static pthread_mutex_t *ssl_mutexes;
static int sslize(struct sq_connection *conn, SSL_CTX *s, int (*func)(SSL *)) {
return (conn->ssl = SSL_new(s)) != NULL &&
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ // IMPALA-11195: disable TLS/SSL renegotiation. In version 1.0.2 and prior it's
+ // possible to use the undocumented SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag.
+ // For more context, see a note on the SSL_OP_NO_RENEGOTIATION option in the
+ // $OPENSSL_ROOT/CHANGES and https://github.com/openssl/openssl/issues/4739.
+ (conn->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
+#endif
SSL_set_fd(conn->ssl, conn->client.sock) == 1 &&
func(conn->ssl) == 1;
}
@@ -3898,6 +3905,20 @@ static int set_ssl_option(struct sq_context *ctx) {
return 0;
}
+#if OPENSSL_VERSION_NUMBER > 0x1010007fL
+ // IMPALA-11195: disable TLS/SSL renegotiation.
+ // See https://www.openssl.org/docs/man1.1.0/man3/SSL_set_options.html for
+ // details. SSL_OP_NO_RENEGOTIATION option was back-ported from 1.1.1-dev to
+ // 1.1.0h, so this is a best-effort approach if the binary compiled with
+ // newer as per information in the CHANGES file for
+ // 'Changes between 1.1.0g and 1.1.0h [27 Mar 2018]':
+ // Note that if an application built against 1.1.0h headers (or above) is
+ // run using an older version of 1.1.0 (prior to 1.1.0h) then the option
+ // will be accepted but nothing will happen, i.e. renegotiation will
+ // not be prevented.
+ options |= SSL_OP_NO_RENEGOTIATION;
+#endif
+
if ((SSL_CTX_set_options(ctx->ssl_ctx, options) & options) != options) {
cry(fc(ctx), "SSL_CTX_set_options (server) error: could not set options (%d)",
options);