You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@kudu.apache.org by "Alexey Serbin (Code Review)" <ge...@cloudera.org> on 2021/03/22 23:23:06 UTC

[kudu-CR] KUDU-1926: disable TLS/SSL renegotiation

Hello Attila Bukor, Kudu Jenkins, Andrew Wong, Grant Henke, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17204

to look at the new patch set (#3).

Change subject: KUDU-1926: disable TLS/SSL renegotiation
......................................................................

KUDU-1926: disable TLS/SSL renegotiation

This patch disables TLS ciphers renegotiation for TLSv1.2 and prior
protocol versions.  In case of OpenSSL version 1.1.0h and newer, we are
using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations.  In
case of OpenSSL version prior to 1.1.0a, the undocumented flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used.  See [1], [2] and [3]
for more context.

The moot point is the version interval between 1.1.0a and 1.1.0g
(inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer
available from the application side, but SSL_OP_NO_RENEGOTIATION is not
yet present.  So, if a server binary has been compiled with OpenSSL in
the specified version range, it's still advertising the renegotiation
option, even if it's run against OpenSSL 1.1.0h or later versions.

[1] https://www.openssl.org/docs/man1.1.0/man3/SSL_set_options.html
[2] https://github.com/openssl/openssl/blob/f9398cc2b31858ddaaea3f5cfec2fce7f9b90347/CHANGES#L1038-L1049
[3] https://github.com/openssl/openssl/issues/4739

Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
---
M src/kudu/security/tls_context.cc
1 file changed, 25 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/04/17204/3
-- 
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 3
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)