You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by al...@apache.org on 2019/06/20 07:18:50 UTC
[kudu] 02/02: KUDU-2871 (part 1): disable TLS 1.3.
This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
commit efc3f372e8b9254ab6b65d1f884381016329611c
Author: Todd Lipcon <to...@apache.org>
AuthorDate: Wed Jun 19 23:49:26 2019 -0700
KUDU-2871 (part 1): disable TLS 1.3.
This disables TLS 1.3 for our RPC negotiations, since the 1.5-RTT
optimization breaks an assumption that the server sends the last token
in the negotiation exchange.
Tested that this fixes tls_handshake-test with Ubuntu 18 and libssl
1.1.1.
Change-Id: I431a1352ce1b8cca61b60c2dafbebadb4303e08a
Reviewed-on: http://gerrit.cloudera.org:8080/13683
Reviewed-by: Alexey Serbin <as...@cloudera.com>
Tested-by: Kudu Jenkins
---
src/kudu/rpc/client_negotiation.cc | 4 +++-
src/kudu/security/tls_context.cc | 7 +++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/kudu/rpc/client_negotiation.cc b/src/kudu/rpc/client_negotiation.cc
index d74bdbe..b43f55d 100644
--- a/src/kudu/rpc/client_negotiation.cc
+++ b/src/kudu/rpc/client_negotiation.cc
@@ -481,7 +481,9 @@ Status ClientNegotiation::HandleTlsHandshake(const NegotiatePB& response) {
return Status::NotAuthorized("expected TLS_HANDSHAKE step",
NegotiatePB::NegotiateStep_Name(response.step()));
}
- TRACE("Received TLS_HANDSHAKE response from server");
+ if (!response.tls_handshake().empty()) {
+ TRACE("Received TLS_HANDSHAKE response from server");
+ }
if (PREDICT_FALSE(!response.has_tls_handshake())) {
return Status::NotAuthorized("No TLS handshake token in TLS_HANDSHAKE response from server");
diff --git a/src/kudu/security/tls_context.cc b/src/kudu/security/tls_context.cc
index 9bf433d..a01b779 100644
--- a/src/kudu/security/tls_context.cc
+++ b/src/kudu/security/tls_context.cc
@@ -61,6 +61,9 @@
#ifndef SSL_OP_NO_TLSv1_1
#define SSL_OP_NO_TLSv1_1 0x10000000U
#endif
+#ifndef SSL_OP_NO_TLSv1_3
+#define SSL_OP_NO_TLSv1_3 0x20000000U
+#endif
#ifndef TLS1_1_VERSION
#define TLS1_1_VERSION 0x0302
#endif
@@ -165,6 +168,10 @@ Status TlsContext::Init() {
tls_min_protocol_);
}
+ // We don't currently support TLS 1.3 because the one-and-a-half-RTT negotiation
+ // confuses our RPC negotiation protocol. See KUDU-2871.
+ options |= SSL_OP_NO_TLSv1_3;
+
SSL_CTX_set_options(ctx_.get(), options);
OPENSSL_RET_NOT_OK(