You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@impala.apache.org by "Zoltan Borok-Nagy (Code Review)" <ge...@cloudera.org> on 2022/03/24 18:33:29 UTC

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Zoltan Borok-Nagy has uploaded this change for review. ( http://gerrit.cloudera.org:8080/18351


Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................

IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

SSL renegotiation has had a couple of CVEs in the past. This patch
disables TLS ciphers renegotiation for TLSv1.2 and prior protocol
versions in the Impala Thirft server. Renegotiation is not possible in
a TLSv1.3 connection.

This patch disables renegotiations by using a patched version of Thrift.

Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
---
M bin/impala-config.sh
1 file changed, 2 insertions(+), 2 deletions(-)



  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/51/18351/1
-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 1
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Joe McDonnell (Code Review)" <ge...@cloudera.org>.

Joe McDonnell has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 1: Code-Review+2


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 1
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Thu, 24 Mar 2022 20:36:29 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 1:

Build Successful 

https://jenkins.impala.io/job/gerrit-code-review-checks/10332/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests.


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 1
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Thu, 24 Mar 2022 18:54:06 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 4:

Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/7971/ DRY_RUN=false


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 4
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Sat, 26 Mar 2022 19:12:56 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 2:

Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/7965/ DRY_RUN=false


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 2
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Fri, 25 Mar 2022 10:23:24 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 3: Code-Review+2


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 3
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Fri, 25 Mar 2022 15:11:56 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 3:

Build failed: https://jenkins.impala.io/job/gerrit-verify-dryrun/7967/


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 3
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Fri, 25 Mar 2022 17:52:49 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 4: Verified+1


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 4
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Sun, 27 Mar 2022 15:30:52 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 3:

Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/7966/ DRY_RUN=false


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 3
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Fri, 25 Mar 2022 15:11:57 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 3: Verified-1

Build failed: https://jenkins.impala.io/job/gerrit-verify-dryrun/7966/


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 3
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Fri, 25 Mar 2022 16:18:52 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 3:

Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/7967/ DRY_RUN=false


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 3
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Fri, 25 Mar 2022 16:49:07 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 4: Code-Review+2


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 4
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Sat, 26 Mar 2022 19:12:56 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................

IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

SSL renegotiation has had a couple of CVEs in the past. This patch
disables TLS ciphers renegotiation for TLSv1.2 and prior protocol
versions in the Impala Thirft server. Renegotiation is not possible in
a TLSv1.3 connection.

This patch disables renegotiations by using a patched version of Thrift.

Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Reviewed-on: http://gerrit.cloudera.org:8080/18351
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
M bin/impala-config.sh
1 file changed, 2 insertions(+), 2 deletions(-)

Approvals:
  Impala Public Jenkins: Looks good to me, approved; Verified

-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 5
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 4:

Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/7972/ DRY_RUN=false


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 4
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Sun, 27 Mar 2022 11:06:58 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 4: Verified-1

Build failed: https://jenkins.impala.io/job/gerrit-verify-dryrun/7971/


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 4
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Sat, 26 Mar 2022 23:44:08 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 2: Code-Review+2


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 2
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Fri, 25 Mar 2022 10:23:23 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18351 )

Change subject: IMPALA-11195 (part 2): Disable SSL session renegotiations in the Thrift server
......................................................................


Patch Set 2: Verified-1

Build failed: https://jenkins.impala.io/job/gerrit-verify-dryrun/7965/


-- 
To view, visit http://gerrit.cloudera.org:8080/18351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I497ccf6fcfb397fc961c3422a34128894604d1e4
Gerrit-Change-Number: 18351
Gerrit-PatchSet: 2
Gerrit-Owner: Zoltan Borok-Nagy <bo...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <jo...@cloudera.com>
Gerrit-Reviewer: Riza Suminto <ri...@cloudera.com>
Gerrit-Comment-Date: Fri, 25 Mar 2022 14:55:17 +0000
Gerrit-HasComments: No