You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2023/01/31 12:59:00 UTC

[jira] [Commented] (IMPALA-11240) Revisit the default value for ssl_cipher_list to eliminate insecure ciphers

    [ https://issues.apache.org/jira/browse/IMPALA-11240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17682556#comment-17682556 ] 

ASF subversion and git services commented on IMPALA-11240:
----------------------------------------------------------

Commit 0617f2e66f88ca31424a1c490020b0565db6853e in impala's branch refs/heads/master from Andrew Sherman
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=0617f2e66 ]

IMPALA-11862: [DOCS] Document the default value of --ssl_cipher_list.

Since IMPALA-11240 the default value of ssl_cipher_list is not empty.
Update the docs to cover this change.

TESTING:
- Built docs locally.

Change-Id: I000fbb5bd37f52b85afe3855852875360b55ccfa
Reviewed-on: http://gerrit.cloudera.org:8080/19447
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>


> Revisit the default value for ssl_cipher_list to eliminate insecure ciphers
> ---------------------------------------------------------------------------
>
>                 Key: IMPALA-11240
>                 URL: https://issues.apache.org/jira/browse/IMPALA-11240
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Security
>    Affects Versions: Impala 4.1.0
>            Reporter: Joe McDonnell
>            Assignee: Joe McDonnell
>            Priority: Major
>             Fix For: Impala 4.2.0
>
>
> The default value for ssl_cipher_list is empty, which uses any cipher supported by the operating system's OpenSSL version. Some older ciphers are known to be weak, and Mozilla's guide to server side SSL settings recommends restricting the SSL ciphers:
> [https://wiki.mozilla.org/Security/Server_Side_TLS]
> In particular, a curated list based on the intermediate compatibility level seems like a reasonable way to improve security. For example, Kudu restricts SSL ciphers to this list: 
> [https://github.com/apache/kudu/blob/master/src/kudu/security/security_flags.cc#L30]
> {noformat}
> const char* const SecurityDefaults::SecurityDefaults::kDefaultTlsCiphers =
>     "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:"
>     "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:"
>     "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";{noformat}
> We should consider doing something similar.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org