This is an automated email from the ASF dual-hosted git repository. joemcdonnell pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/impala.git
The following commit(s) were added to refs/heads/master by this push: new 09182c8 Backport KUDU-2871 (part 1): disable TLS 1.3. 09182c8 is described below commit 09182c8ba4284c758201bfdb41c70cee0cab9e75 Author: Csaba Ringhofer <csringho...@cloudera.com> AuthorDate: Thu Jun 20 16:57:27 2019 +0200 Backport KUDU-2871 (part 1): disable TLS 1.3. Change-Id: Iae77e06906e01d8442e0f767e7f920bd330cc5da Reviewed-on: http://gerrit.cloudera.org:8080/13689 Reviewed-by: Todd Lipcon <t...@apache.org> Reviewed-by: Alexey Serbin <aser...@cloudera.com> Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com> --- be/src/kudu/rpc/client_negotiation.cc | 4 +++- be/src/kudu/security/tls_context.cc | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/be/src/kudu/rpc/client_negotiation.cc b/be/src/kudu/rpc/client_negotiation.cc index 02175f6..c405687 100644 --- a/be/src/kudu/rpc/client_negotiation.cc +++ b/be/src/kudu/rpc/client_negotiation.cc @@ -473,7 +473,9 @@ Status ClientNegotiation::HandleTlsHandshake(const NegotiatePB& response) { return Status::NotAuthorized("expected TLS_HANDSHAKE step", NegotiatePB::NegotiateStep_Name(response.step())); } - TRACE("Received TLS_HANDSHAKE response from server"); + if (!response.tls_handshake().empty()) { + TRACE("Received TLS_HANDSHAKE response from server"); + } if (PREDICT_FALSE(!response.has_tls_handshake())) { return Status::NotAuthorized("No TLS handshake token in TLS_HANDSHAKE response from server"); diff --git a/be/src/kudu/security/tls_context.cc b/be/src/kudu/security/tls_context.cc index 9bf433d..a01b779 100644 --- a/be/src/kudu/security/tls_context.cc +++ b/be/src/kudu/security/tls_context.cc @@ -61,6 +61,9 @@ #ifndef SSL_OP_NO_TLSv1_1 #define SSL_OP_NO_TLSv1_1 0x10000000U #endif +#ifndef SSL_OP_NO_TLSv1_3 +#define SSL_OP_NO_TLSv1_3 0x20000000U +#endif #ifndef TLS1_1_VERSION #define TLS1_1_VERSION 0x0302 #endif @@ -165,6 +168,10 @@ Status TlsContext::Init() { tls_min_protocol_); } + // We don't currently support TLS 1.3 because the one-and-a-half-RTT negotiation + // confuses our RPC negotiation protocol. See KUDU-2871. + options |= SSL_OP_NO_TLSv1_3; + SSL_CTX_set_options(ctx_.get(), options); OPENSSL_RET_NOT_OK(