You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by al...@apache.org on 2019/06/20 07:18:50 UTC

[kudu] 02/02: KUDU-2871 (part 1): disable TLS 1.3.

This is an automated email from the ASF dual-hosted git repository.

alexey pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git

commit efc3f372e8b9254ab6b65d1f884381016329611c
Author: Todd Lipcon <to...@apache.org>
AuthorDate: Wed Jun 19 23:49:26 2019 -0700

    KUDU-2871 (part 1): disable TLS 1.3.
    
    This disables TLS 1.3 for our RPC negotiations, since the 1.5-RTT
    optimization breaks an assumption that the server sends the last token
    in the negotiation exchange.
    
    Tested that this fixes tls_handshake-test with Ubuntu 18 and libssl
    1.1.1.
    
    Change-Id: I431a1352ce1b8cca61b60c2dafbebadb4303e08a
    Reviewed-on: http://gerrit.cloudera.org:8080/13683
    Reviewed-by: Alexey Serbin <as...@cloudera.com>
    Tested-by: Kudu Jenkins
---
 src/kudu/rpc/client_negotiation.cc | 4 +++-
 src/kudu/security/tls_context.cc   | 7 +++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/kudu/rpc/client_negotiation.cc b/src/kudu/rpc/client_negotiation.cc
index d74bdbe..b43f55d 100644
--- a/src/kudu/rpc/client_negotiation.cc
+++ b/src/kudu/rpc/client_negotiation.cc
@@ -481,7 +481,9 @@ Status ClientNegotiation::HandleTlsHandshake(const NegotiatePB& response) {
     return Status::NotAuthorized("expected TLS_HANDSHAKE step",
                                  NegotiatePB::NegotiateStep_Name(response.step()));
   }
-  TRACE("Received TLS_HANDSHAKE response from server");
+  if (!response.tls_handshake().empty()) {
+    TRACE("Received TLS_HANDSHAKE response from server");
+  }
 
   if (PREDICT_FALSE(!response.has_tls_handshake())) {
     return Status::NotAuthorized("No TLS handshake token in TLS_HANDSHAKE response from server");
diff --git a/src/kudu/security/tls_context.cc b/src/kudu/security/tls_context.cc
index 9bf433d..a01b779 100644
--- a/src/kudu/security/tls_context.cc
+++ b/src/kudu/security/tls_context.cc
@@ -61,6 +61,9 @@
 #ifndef SSL_OP_NO_TLSv1_1
 #define SSL_OP_NO_TLSv1_1 0x10000000U
 #endif
+#ifndef SSL_OP_NO_TLSv1_3
+#define SSL_OP_NO_TLSv1_3 0x20000000U
+#endif
 #ifndef TLS1_1_VERSION
 #define TLS1_1_VERSION 0x0302
 #endif
@@ -165,6 +168,10 @@ Status TlsContext::Init() {
                                    tls_min_protocol_);
   }
 
+  // We don't currently support TLS 1.3 because the one-and-a-half-RTT negotiation
+  // confuses our RPC negotiation protocol. See KUDU-2871.
+  options |= SSL_OP_NO_TLSv1_3;
+
   SSL_CTX_set_options(ctx_.get(), options);
 
   OPENSSL_RET_NOT_OK(