You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@kudu.apache.org by "Alexey Serbin (Code Review)" <ge...@cloudera.org> on 2022/08/24 02:46:54 UTC
[kudu-CR] [security] update list of preferred TLS ciphers
Alexey Serbin has uploaded this change for review. ( http://gerrit.cloudera.org:8080/18900
Change subject: [security] update list of preferred TLS ciphers
......................................................................
[security] update list of preferred TLS ciphers
After revising the list of preferred TLS ciphers for Kudu in [1],
it turned out that some FIPS 140-2 environments using custom JSSE
providers (e.g., particular versions of BouncyCastle and CaseLogic)
lack AES-GCM ciphers, so Kudu Java client applications could not
establish a TLS connection to Kudu servers since the AES-CBC ciphers
were intentionally removed from the list due to their inferior
performance compared with AES-GCM counterparts.
This patch addresses the issue, appending AES-CCM and AES-CBC ciphers
to the list of preferred ones. The CBC counterparts of the AES-GCM
ciphers are known to be much less performant on modern x86_64 CPUs,
but at least there should be a shared cipher to establish a connection
using TLSv1.2 protocol in such environments.
This is a follow-up to [1].
[1] https://github.com/apache/kudu/commit/a8fb42dc34e8f1f876db5b26fc3f5eb3196ce854
Change-Id: I2f8e251acd34fc4ede367b030cd16841527042bc
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
M src/kudu/security/security_flags.cc
2 files changed, 17 insertions(+), 2 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/00/18900/1
--
To view, visit http://gerrit.cloudera.org:8080/18900
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I2f8e251acd34fc4ede367b030cd16841527042bc
Gerrit-Change-Number: 18900
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <al...@apache.org>
[kudu-CR] [security] update list of preferred TLS ciphers
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has removed a vote on this change.
Change subject: [security] update list of preferred TLS ciphers
......................................................................
Removed Verified-1 by Kudu Jenkins (120)
--
To view, visit http://gerrit.cloudera.org:8080/18900
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: deleteVote
Gerrit-Change-Id: I2f8e251acd34fc4ede367b030cd16841527042bc
Gerrit-Change-Number: 18900
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
[kudu-CR] [security] update list of preferred TLS ciphers
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/18900 )
Change subject: [security] update list of preferred TLS ciphers
......................................................................
Patch Set 1: Verified+1
unrelated test failure
--
To view, visit http://gerrit.cloudera.org:8080/18900
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I2f8e251acd34fc4ede367b030cd16841527042bc
Gerrit-Change-Number: 18900
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Wed, 31 Aug 2022 15:38:28 +0000
Gerrit-HasComments: No
[kudu-CR] [security] update list of preferred TLS ciphers
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/18900 )
Change subject: [security] update list of preferred TLS ciphers
......................................................................
Patch Set 1:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/18900/1//COMMIT_MSG
Commit Message:
PS1:
I need to test this on a real FIPS-compliant machine, though.
Also, I'm curious how AES-CCM ciphers perform (need to remove all other ciphers from the preferred list and run at least the rpc-test).
--
To view, visit http://gerrit.cloudera.org:8080/18900
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I2f8e251acd34fc4ede367b030cd16841527042bc
Gerrit-Change-Number: 18900
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Wed, 24 Aug 2022 02:48:45 +0000
Gerrit-HasComments: Yes
[kudu-CR] [security] update list of preferred TLS ciphers
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/18900 )
Change subject: [security] update list of preferred TLS ciphers
......................................................................
[security] update list of preferred TLS ciphers
After revising the list of preferred TLS ciphers for Kudu in [1],
it turned out that some FIPS 140-2 environments using custom JSSE
providers (e.g., particular versions of BouncyCastle and CaseLogic)
lack AES-GCM ciphers, so Kudu Java client applications could not
establish a TLS connection to Kudu servers since the AES-CBC ciphers
were intentionally removed from the list due to their inferior
performance compared with AES-GCM counterparts.
This patch addresses the issue, appending AES-CCM and AES-CBC ciphers
to the list of preferred ones. The CBC counterparts of the AES-GCM
ciphers are known to be much less performant on modern x86_64 CPUs,
but at least there should be a shared cipher to establish a connection
using TLSv1.2 protocol in such environments.
This is a follow-up to [1].
[1] https://github.com/apache/kudu/commit/a8fb42dc34e8f1f876db5b26fc3f5eb3196ce854
Change-Id: I2f8e251acd34fc4ede367b030cd16841527042bc
Reviewed-on: http://gerrit.cloudera.org:8080/18900
Reviewed-by: Attila Bukor <ab...@apache.org>
Tested-by: Alexey Serbin <al...@apache.org>
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
M src/kudu/security/security_flags.cc
2 files changed, 17 insertions(+), 2 deletions(-)
Approvals:
Attila Bukor: Looks good to me, approved
Alexey Serbin: Verified
--
To view, visit http://gerrit.cloudera.org:8080/18900
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I2f8e251acd34fc4ede367b030cd16841527042bc
Gerrit-Change-Number: 18900
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
[kudu-CR] [security] update list of preferred TLS ciphers
Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.
Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/18900 )
Change subject: [security] update list of preferred TLS ciphers
......................................................................
Patch Set 1: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/18900
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I2f8e251acd34fc4ede367b030cd16841527042bc
Gerrit-Change-Number: 18900
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Mon, 29 Aug 2022 18:15:40 +0000
Gerrit-HasComments: No