You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@impala.apache.org by "Joe McDonnell (Code Review)" <ge...@cloudera.org> on 2022/07/21 16:01:58 UTC

[Impala-ASF-CR] IMPALA-10069: Support TLS 1.3 ciphersuites

Hello Impala Public Jenkins, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/18316

to look at the new patch set (#3).

Change subject: IMPALA-10069: Support TLS 1.3 ciphersuites
......................................................................

IMPALA-10069: Support TLS 1.3 ciphersuites

OpenSSL 1.1.1 adds support for TLS 1.3. TLS 1.3 has a new
set of cipher suites that are maintained separately from
the TLS 1.2 ciphers. This caused test failures on tests
that expected failures when setting invalid TLS 1.2 ciphers.
It also rendered some success test cases invalid, because
the TLS 1.3 ciphers would work even if TLS 1.2 didn't.

This adds the tls_ciphersuites startup parameter, which
customizes the TLS 1.3 cipher suites. tls_ciphersuites is
only effective when Impala is built for a system with OpenSSL
1.1.1 or above.

This uses tls_ciphersuites to fix the existing TLS 1.2 cipher
tests. It also adds a set of tests for TLS 1.3 cipher suites.

KRPC and the webserver now support ssl_minimum_version=tlsv1.3.
However, Thrift does not support this configuration yet, so
this is not supported for impalad yet. To support TLS 1.3 tests
on Thrift, this adds a disable_tls12 option to ThriftServer
and ThriftClient. This will be removed when
ssl_minimum_version=tlsv1.3 is supported.

Testing:
 - Ran the backend tests with TLS checks (rpc-mgr-test, rpc-mgr-kerberized-test,
   webserver-test, and thrift-server-test) on Ubuntu 18 and Ubuntu 20
 - Added tests for tls_ciphersuites in rpc-mgr-test and thrift-server-test
 - Ran a core test on Centos 7
 - Ran a core test on Ubuntu 16

Change-Id: I6974dae7fb429599847165614adc4eaaf338f744
---
M be/src/rpc/rpc-mgr-test.cc
M be/src/rpc/rpc-mgr-test.h
M be/src/rpc/rpc-mgr.cc
M be/src/rpc/thrift-client.cc
M be/src/rpc/thrift-client.h
M be/src/rpc/thrift-server-test.cc
M be/src/rpc/thrift-server.cc
M be/src/rpc/thrift-server.h
M be/src/rpc/thrift-util.cc
M be/src/rpc/thrift-util.h
M be/src/service/impala-server.cc
M be/src/thirdparty/squeasel/squeasel.c
M be/src/util/webserver-test.cc
M be/src/util/webserver.cc
14 files changed, 523 insertions(+), 84 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/16/18316/3
-- 
To view, visit http://gerrit.cloudera.org:8080/18316
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I6974dae7fb429599847165614adc4eaaf338f744
Gerrit-Change-Number: 18316
Gerrit-PatchSet: 3
Gerrit-Owner: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>