[jira] [Commented] (IMPALA-11195) Disable SSL session renegotiation

Fri, 25 Mar 2022 08:01:39 -0700 


    [ 
https://issues.apache.org/jira/browse/IMPALA-11195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17512421#comment-17512421
 ] 

ASF subversion and git services commented on IMPALA-11195:
----------------------------------------------------------

Commit 0dce419dbd073257d2352e556642f6239a76bb9b in impala's branch 
refs/heads/master from Zoltan Borok-Nagy
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=0dce419 ]

IMPALA-11195 (part 1): Disable SSL session renegotiations in the web server

SSL renegotiation has had a couple of CVEs in the past. This patch
disables TLS ciphers renegotiation for TLSv1.2 and prior protocol
versions in the Impala web server. Renegotiation is not possible in
a TLSv1.3 connection. Disabling renegotiations on the Thrift servers
require Thrift-side changes, hence this is handled in the
native-toolchain.

This change is based on KUDU-1926.

In case of OpenSSL version 1.1.0h and newer, we are
using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations. In
case of OpenSSL version prior to 1.1.0a, the undocumented flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used.

The moot point is the version interval between 1.1.0a and 1.1.0g
(inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer
available from the application side, but SSL_OP_NO_RENEGOTIATION is not
yet present. So, if a server binary has been compiled with OpenSSL in
the specified version range, it's still advertising the renegotiation
option, even if it's run against OpenSSL 1.1.0h or later versions.

Change-Id: I1afbd6dfcad6b8fbc2e82763222996fabba207cf
Reviewed-on: http://gerrit.cloudera.org:8080/18346
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>


> Disable SSL session renegotiation
> ---------------------------------
>
>                 Key: IMPALA-11195
>                 URL: https://issues.apache.org/jira/browse/IMPALA-11195
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Backend
>            Reporter: Zoltán Borók-Nagy
>            Assignee: Zoltán Borók-Nagy
>            Priority: Major
>
> SSL renegotiations has had a couple of CVEs in the past. We should figure out 
> how to disable it.
> Kudu disabled SSL renegotations in KUDU-1926, so we can do something similar.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to