You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@kudu.apache.org by "Alexey Serbin (Code Review)" <ge...@cloudera.org> on 2020/02/29 04:11:38 UTC

[kudu-CR] [security] introduce security level override for OpenSSL 

Alexey Serbin has uploaded this change for review. ( http://gerrit.cloudera.org:8080/15326


Change subject: [security] introduce security level override for OpenSSL
......................................................................

[security] introduce security level override for OpenSSL

In some contemporary Linux distros (like RHEL/CentOS 8.1), the default
security level for OpenSSL is set to 2.  This makes RSA keys of length
less that 2048 to be considered lax and unsecure, and the verification
of corresponding certificates fails.  However, in Kudu tests we use
shorter keys to save time on run-time of the tests.

This patch introduces a gflag to override the security level of the
OpenSSL library.  With that, every test derived from the KuduTest class
automatically sets the security level to 1 when initializing its
TLS context.  That makes it possible to use RSA keys of length 1024
for generating certificates.  Otherwise, many test would fail while
trying to adopt or verify certificates signed with smaller RSA keys.

Change-Id: Ic85fb6f7d2e7d1d09ff4c33742c5234da634b837
---
M src/kudu/mini-cluster/external_mini_cluster.cc
M src/kudu/security/tls_context.cc
M src/kudu/util/test_util.cc
3 files changed, 34 insertions(+), 0 deletions(-)



  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/26/15326/1
-- 
To view, visit http://gerrit.cloudera.org:8080/15326
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic85fb6f7d2e7d1d09ff4c33742c5234da634b837
Gerrit-Change-Number: 15326
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>

[kudu-CR] [security] introduce security level override for OpenSSL

Posted by "Adar Dembo (Code Review)" <ge...@cloudera.org>.
Adar Dembo has posted comments on this change. ( http://gerrit.cloudera.org:8080/15326 )

Change subject: [security] introduce security level override for OpenSSL
......................................................................


Patch Set 1: Code-Review+2


-- 
To view, visit http://gerrit.cloudera.org:8080/15326
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ic85fb6f7d2e7d1d09ff4c33742c5234da634b837
Gerrit-Change-Number: 15326
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Volodymyr Verovkin <ve...@cloudera.com>
Gerrit-Comment-Date: Tue, 03 Mar 2020 04:22:50 +0000
Gerrit-HasComments: No

[kudu-CR] [security] introduce security level override for OpenSSL

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/15326 )

Change subject: [security] introduce security level override for OpenSSL
......................................................................


Patch Set 1: Verified+1

unrelated gradle snafu in TSAN build


-- 
To view, visit http://gerrit.cloudera.org:8080/15326
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ic85fb6f7d2e7d1d09ff4c33742c5234da634b837
Gerrit-Change-Number: 15326
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Volodymyr Verovkin <ve...@cloudera.com>
Gerrit-Comment-Date: Sat, 29 Feb 2020 05:01:53 +0000
Gerrit-HasComments: No

[kudu-CR] [security] introduce security level override for OpenSSL

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has removed a vote on this change.

Change subject: [security] introduce security level override for OpenSSL
......................................................................


Removed Verified-1 by Kudu Jenkins (120)
-- 
To view, visit http://gerrit.cloudera.org:8080/15326
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: deleteVote
Gerrit-Change-Id: Ic85fb6f7d2e7d1d09ff4c33742c5234da634b837
Gerrit-Change-Number: 15326
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Volodymyr Verovkin <ve...@cloudera.com>

[kudu-CR] [security] introduce security level override for OpenSSL

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/15326 )

Change subject: [security] introduce security level override for OpenSSL
......................................................................

[security] introduce security level override for OpenSSL

In some contemporary Linux distros (like RHEL/CentOS 8.1), the default
security level for OpenSSL is set to 2.  This makes RSA keys of length
less that 2048 to be considered lax and unsecure, and the verification
of corresponding certificates fails.  However, in Kudu tests we use
shorter keys to save time on run-time of the tests.

This patch introduces a gflag to override the security level of the
OpenSSL library.  With that, every test derived from the KuduTest class
automatically sets the security level to 1 when initializing its
TLS context.  That makes it possible to use RSA keys of length 1024
for generating certificates.  Otherwise, many test would fail while
trying to adopt or verify certificates signed with smaller RSA keys.

Change-Id: Ic85fb6f7d2e7d1d09ff4c33742c5234da634b837
Reviewed-on: http://gerrit.cloudera.org:8080/15326
Tested-by: Alexey Serbin <as...@cloudera.com>
Reviewed-by: Adar Dembo <ad...@cloudera.com>
---
M src/kudu/mini-cluster/external_mini_cluster.cc
M src/kudu/security/tls_context.cc
M src/kudu/util/test_util.cc
3 files changed, 34 insertions(+), 0 deletions(-)

Approvals:
  Alexey Serbin: Verified
  Adar Dembo: Looks good to me, approved

-- 
To view, visit http://gerrit.cloudera.org:8080/15326
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: Ic85fb6f7d2e7d1d09ff4c33742c5234da634b837
Gerrit-Change-Number: 15326
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Adar Dembo <ad...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Volodymyr Verovkin <ve...@cloudera.com>