You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/06/23 09:33:00 UTC

[jira] [Commented] (IMPALA-11240) Revisit the default value for ssl_cipher_list to eliminate insecure ciphers

    [ https://issues.apache.org/jira/browse/IMPALA-11240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557969#comment-17557969 ] 

ASF subversion and git services commented on IMPALA-11240:
----------------------------------------------------------

Commit f19f21def9ddca71d774467f5ad0ef6562df20c7 in impala's branch refs/heads/master from Joe McDonnell
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=f19f21def ]

IMPALA-11240: Change default ssl_cipher_list to eliminate insecure ciphers

The current default value for ssl_cipher_list is empty, which
allows any cipher supported by the operating system's OpenSSL
version. On several operating systems, this includes several
known weak ciphers, such as those based on RC4.

This changes the default to match what is used by Kudu,
which is based on Mozilla's intermediate compatability
level:
https://wiki.mozilla.org/Security/Server_Side_TLS

Users can get the old behavior by setting the ssl_cipher_list="".

Tests:
 - Ran core tests

Change-Id: I69fbfdbca3640b50d90e943f4d5c63fbc9cb1e76
Reviewed-on: http://gerrit.cloudera.org:8080/18654
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>


> Revisit the default value for ssl_cipher_list to eliminate insecure ciphers
> ---------------------------------------------------------------------------
>
>                 Key: IMPALA-11240
>                 URL: https://issues.apache.org/jira/browse/IMPALA-11240
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Security
>    Affects Versions: Impala 4.1.0
>            Reporter: Joe McDonnell
>            Assignee: Joe McDonnell
>            Priority: Major
>
> The default value for ssl_cipher_list is empty, which uses any cipher supported by the operating system's OpenSSL version. Some older ciphers are known to be weak, and Mozilla's guide to server side SSL settings recommends restricting the SSL ciphers:
> [https://wiki.mozilla.org/Security/Server_Side_TLS]
> In particular, a curated list based on the intermediate compatibility level seems like a reasonable way to improve security. For example, Kudu restricts SSL ciphers to this list: 
> [https://github.com/apache/kudu/blob/master/src/kudu/security/security_flags.cc#L30]
> {noformat}
> const char* const SecurityDefaults::SecurityDefaults::kDefaultTlsCiphers =
>     "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:"
>     "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:"
>     "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";{noformat}
> We should consider doing something similar.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org