You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@impala.apache.org by "Zoltan Borok-Nagy (Code Review)" <ge...@cloudera.org> on 2022/03/23 18:44:56 UTC
[native-toolchain-CR] IMPALA-11195: Disable SSL session renegotiation
Zoltan Borok-Nagy has uploaded this change for review. ( http://gerrit.cloudera.org:8080/18347
Change subject: IMPALA-11195: Disable SSL session renegotiation
......................................................................
IMPALA-11195: Disable SSL session renegotiation
This patch disables TLS ciphers renegotiation for TLSv1.2 and prior
protocol versions. Renegotiation is not possible in a TLSv1.3
connection.
In case of OpenSSL version 1.1.0h and newer, we are
using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations. In
case of OpenSSL version prior to 1.1.0a, the undocumented flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used.
The moot point is the version interval between 1.1.0a and 1.1.0g
(inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer
available from the application side, but SSL_OP_NO_RENEGOTIATION is not
yet present. So, if a server binary has been compiled with OpenSSL in
the specified version range, it's still advertising the renegotiation
option, even if it's run against OpenSSL 1.1.0h or later versions.
Change-Id: I44ee3ff729798834fdda5862f4e50dae8bb287a2
---
M buildall.sh
A source/thrift/thrift-0.11.0-patches/0005-IMPALA-11195-Disable-SSL-renegotiations.patch
2 files changed, 55 insertions(+), 1 deletion(-)
git pull ssh://gerrit.cloudera.org:29418/native-toolchain refs/changes/47/18347/1
--
To view, visit http://gerrit.cloudera.org:8080/18347
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I44ee3ff729798834fdda5862f4e50dae8bb287a2
Gerrit-Change-Number: 18347
Gerrit-PatchSet: 1
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
[native-toolchain-CR] IMPALA-11195: Disable SSL session renegotiation
Posted by "Riza Suminto (Code Review)" <ge...@cloudera.org>.
Riza Suminto has posted comments on this change. ( http://gerrit.cloudera.org:8080/18347 )
Change subject: IMPALA-11195: Disable SSL session renegotiation
......................................................................
Patch Set 1: Code-Review+1
Looks good!
--
To view, visit http://gerrit.cloudera.org:8080/18347
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I44ee3ff729798834fdda5862f4e50dae8bb287a2
Gerrit-Change-Number: 18347
Gerrit-PatchSet: 1
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Wed, 23 Mar 2022 23:22:22 +0000
Gerrit-HasComments: No
[native-toolchain-CR] IMPALA-11195: Disable SSL session renegotiation
Posted by "Zoltan Borok-Nagy (Code Review)" <ge...@cloudera.org>.
Zoltan Borok-Nagy has posted comments on this change. ( http://gerrit.cloudera.org:8080/18347 )
Change subject: IMPALA-11195: Disable SSL session renegotiation
......................................................................
Patch Set 1:
internal build job is still running.
--
To view, visit http://gerrit.cloudera.org:8080/18347
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I44ee3ff729798834fdda5862f4e50dae8bb287a2
Gerrit-Change-Number: 18347
Gerrit-PatchSet: 1
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Reviewer: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Comment-Date: Wed, 23 Mar 2022 18:47:34 +0000
Gerrit-HasComments: No
[native-toolchain-CR] IMPALA-11195: Disable SSL session renegotiation
Posted by "Joe McDonnell (Code Review)" <ge...@cloudera.org>.
Joe McDonnell has posted comments on this change. ( http://gerrit.cloudera.org:8080/18347 )
Change subject: IMPALA-11195: Disable SSL session renegotiation
......................................................................
Patch Set 1: Code-Review+2
(1 comment)
This is looking good to me
http://gerrit.cloudera.org:8080/#/c/18347/1/source/thrift/thrift-0.11.0-patches/0005-IMPALA-11195-Disable-SSL-renegotiations.patch
File source/thrift/thrift-0.11.0-patches/0005-IMPALA-11195-Disable-SSL-renegotiations.patch:
http://gerrit.cloudera.org:8080/#/c/18347/1/source/thrift/thrift-0.11.0-patches/0005-IMPALA-11195-Disable-SSL-renegotiations.patch@18
PS1, Line 18: 0x1010007fL
So I remember it later, this is where I checked this:
https://github.com/openssl/openssl/blob/OpenSSL_1_1_0h/include/openssl/opensslv.h#L42
Looks good
--
To view, visit http://gerrit.cloudera.org:8080/18347
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I44ee3ff729798834fdda5862f4e50dae8bb287a2
Gerrit-Change-Number: 18347
Gerrit-PatchSet: 1
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Thu, 24 Mar 2022 16:16:25 +0000
Gerrit-HasComments: Yes
[native-toolchain-CR] IMPALA-11195: Disable SSL session renegotiation
Posted by "Zoltan Borok-Nagy (Code Review)" <ge...@cloudera.org>.
Zoltan Borok-Nagy has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/18347 )
Change subject: IMPALA-11195: Disable SSL session renegotiation
......................................................................
IMPALA-11195: Disable SSL session renegotiation
This patch disables TLS ciphers renegotiation for TLSv1.2 and prior
protocol versions. Renegotiation is not possible in a TLSv1.3
connection.
In case of OpenSSL version 1.1.0h and newer, we are
using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations. In
case of OpenSSL version prior to 1.1.0a, the undocumented flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used.
The moot point is the version interval between 1.1.0a and 1.1.0g
(inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer
available from the application side, but SSL_OP_NO_RENEGOTIATION is not
yet present. So, if a server binary has been compiled with OpenSSL in
the specified version range, it's still advertising the renegotiation
option, even if it's run against OpenSSL 1.1.0h or later versions.
Change-Id: I44ee3ff729798834fdda5862f4e50dae8bb287a2
Reviewed-on: http://gerrit.cloudera.org:8080/18347
Reviewed-by: Riza Suminto <ri...@cloudera.com>
Reviewed-by: Joe McDonnell <jo...@cloudera.com>
Tested-by: Zoltan Borok-Nagy <bo...@cloudera.com>
---
M buildall.sh
A source/thrift/thrift-0.11.0-patches/0005-IMPALA-11195-Disable-SSL-renegotiations.patch
2 files changed, 55 insertions(+), 1 deletion(-)
Approvals:
Riza Suminto: Looks good to me, but someone else must approve
Joe McDonnell: Looks good to me, approved
Zoltan Borok-Nagy: Verified
--
To view, visit http://gerrit.cloudera.org:8080/18347
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I44ee3ff729798834fdda5862f4e50dae8bb287a2
Gerrit-Change-Number: 18347
Gerrit-PatchSet: 2
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Reviewer: Zoltan Borok-Nagy <bo...@cloudera.com>
[native-toolchain-CR] IMPALA-11195: Disable SSL session renegotiation
Posted by "Zoltan Borok-Nagy (Code Review)" <ge...@cloudera.org>.
Zoltan Borok-Nagy has posted comments on this change. ( http://gerrit.cloudera.org:8080/18347 )
Change subject: IMPALA-11195: Disable SSL session renegotiation
......................................................................
Patch Set 1: Verified+1
Verified on an internal job.
--
To view, visit http://gerrit.cloudera.org:8080/18347
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I44ee3ff729798834fdda5862f4e50dae8bb287a2
Gerrit-Change-Number: 18347
Gerrit-PatchSet: 1
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Reviewer: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Comment-Date: Thu, 24 Mar 2022 18:24:05 +0000
Gerrit-HasComments: No