Repository: kudu Updated Branches: refs/heads/master d4b1ea9d5 -> 8389f482b
ssl: switch to older APIs for initializing SSL This enables support for OpenSSL 1.0.0 as found on RHEL 6.4. Change-Id: I08fd5c3f6f8d2c228f760604dcecd7f1439578fb Reviewed-on: http://gerrit.cloudera.org:8080/4957 Reviewed-by: Dan Burkert <[email protected]> Tested-by: Kudu Jenkins Project: http://git-wip-us.apache.org/repos/asf/kudu/repo Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/81f645c5 Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/81f645c5 Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/81f645c5 Branch: refs/heads/master Commit: 81f645c56e1aba2743c014c67a61b71208b057ae Parents: d4b1ea9 Author: Todd Lipcon <[email protected]> Authored: Fri Nov 4 14:52:38 2016 -0700 Committer: Todd Lipcon <[email protected]> Committed: Fri Nov 4 23:18:01 2016 +0000 ---------------------------------------------------------------------- src/kudu/util/net/ssl_factory.cc | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kudu/blob/81f645c5/src/kudu/util/net/ssl_factory.cc ---------------------------------------------------------------------- diff --git a/src/kudu/util/net/ssl_factory.cc b/src/kudu/util/net/ssl_factory.cc index 68aa963..8751d77 100644 --- a/src/kudu/util/net/ssl_factory.cc +++ b/src/kudu/util/net/ssl_factory.cc @@ -75,13 +75,21 @@ SSLFactory::~SSLFactory() { Status SSLFactory::Init() { CHECK(!ctx_.get()); - ctx_.reset(SSL_CTX_new(TLSv1_2_method())); - if (ctx_ == nullptr) { + // NOTE: 'SSLv23 method' sounds like it would enable only SSLv2 and SSLv3, but in fact + // this is a sort of wildcard which enables all methods (including TLSv1 and later). + // We explicitly disable SSLv2 and SSLv3 below so that only TLS methods remain. + // See the discussion on https://trac.torproject.org/projects/tor/ticket/11598 for more + // info. + ctx_.reset(SSL_CTX_new(SSLv23_method())); + if (!ctx_) { return Status::RuntimeError("Could not create SSL context"); } SSL_CTX_set_mode(ctx_.get(), SSL_MODE_AUTO_RETRY); - SSL_CTX_set_options(ctx_.get(), - SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); + + // Disable SSLv2 and SSLv3 which are vulnerable to various issues such as POODLE. + // We support versions back to TLSv1.0 since OpenSSL on RHEL 6.4 and earlier does not + // not support TLSv1.1 or later. + SSL_CTX_set_options(ctx_.get(), SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); SSL_CTX_set_verify(ctx_.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE, nullptr); return Status::OK();
