[impala] branch master updated: Backport KUDU-2871 (part 1): disable TLS 1.3.

Thu, 20 Jun 2019 14:14:52 -0700 

This is an automated email from the ASF dual-hosted git repository.

joemcdonnell pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git


The following commit(s) were added to refs/heads/master by this push:
     new 09182c8  Backport KUDU-2871 (part 1): disable TLS 1.3.
09182c8 is described below

commit 09182c8ba4284c758201bfdb41c70cee0cab9e75
Author: Csaba Ringhofer <csringho...@cloudera.com>
AuthorDate: Thu Jun 20 16:57:27 2019 +0200

    Backport KUDU-2871 (part 1): disable TLS 1.3.
    
    Change-Id: Iae77e06906e01d8442e0f767e7f920bd330cc5da
    Reviewed-on: http://gerrit.cloudera.org:8080/13689
    Reviewed-by: Todd Lipcon <t...@apache.org>
    Reviewed-by: Alexey Serbin <aser...@cloudera.com>
    Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
---
 be/src/kudu/rpc/client_negotiation.cc | 4 +++-
 be/src/kudu/security/tls_context.cc   | 7 +++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/be/src/kudu/rpc/client_negotiation.cc 
b/be/src/kudu/rpc/client_negotiation.cc
index 02175f6..c405687 100644
--- a/be/src/kudu/rpc/client_negotiation.cc
+++ b/be/src/kudu/rpc/client_negotiation.cc
@@ -473,7 +473,9 @@ Status ClientNegotiation::HandleTlsHandshake(const 
NegotiatePB& response) {
     return Status::NotAuthorized("expected TLS_HANDSHAKE step",
                                  
NegotiatePB::NegotiateStep_Name(response.step()));
   }
-  TRACE("Received TLS_HANDSHAKE response from server");
+  if (!response.tls_handshake().empty()) {
+    TRACE("Received TLS_HANDSHAKE response from server");
+  }
 
   if (PREDICT_FALSE(!response.has_tls_handshake())) {
     return Status::NotAuthorized("No TLS handshake token in TLS_HANDSHAKE 
response from server");
diff --git a/be/src/kudu/security/tls_context.cc 
b/be/src/kudu/security/tls_context.cc
index 9bf433d..a01b779 100644
--- a/be/src/kudu/security/tls_context.cc
+++ b/be/src/kudu/security/tls_context.cc
@@ -61,6 +61,9 @@
 #ifndef SSL_OP_NO_TLSv1_1
 #define SSL_OP_NO_TLSv1_1 0x10000000U
 #endif
+#ifndef SSL_OP_NO_TLSv1_3
+#define SSL_OP_NO_TLSv1_3 0x20000000U
+#endif
 #ifndef TLS1_1_VERSION
 #define TLS1_1_VERSION 0x0302
 #endif
@@ -165,6 +168,10 @@ Status TlsContext::Init() {
                                    tls_min_protocol_);
   }
 
+  // We don't currently support TLS 1.3 because the one-and-a-half-RTT 
negotiation
+  // confuses our RPC negotiation protocol. See KUDU-2871.
+  options |= SSL_OP_NO_TLSv1_3;
+
   SSL_CTX_set_options(ctx_.get(), options);
 
   OPENSSL_RET_NOT_OK(

Reply via email to