[
https://issues.apache.org/jira/browse/IMPALA-10069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583719#comment-17583719
]
ASF subversion and git services commented on IMPALA-10069:
----------------------------------------------------------
Commit e4a98d81245c3dbca56575c28940aa973ec20a48 in impala's branch
refs/heads/master from Joe McDonnell
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=e4a98d812 ]
IMPALA-10069: Support TLS 1.3 ciphersuites
OpenSSL 1.1.1 adds support for TLS 1.3. TLS 1.3 has a new
set of cipher suites that are maintained separately from
the TLS 1.2 ciphers. This caused test failures on tests
that expected failures when setting invalid TLS 1.2 ciphers.
It also rendered some success test cases invalid, because
the TLS 1.3 ciphers would work even if TLS 1.2 didn't.
This adds the tls_ciphersuites startup parameter, which
customizes the TLS 1.3 cipher suites. tls_ciphersuites is
only effective when Impala is built for a system with OpenSSL
1.1.1 or above.
This uses tls_ciphersuites to fix the existing TLS 1.2 cipher
tests. It also adds a set of tests for TLS 1.3 cipher suites.
KRPC and the webserver now support ssl_minimum_version=tlsv1.3.
However, Thrift does not support this configuration yet, so
this is not supported for impalad yet. To support TLS 1.3 tests
on Thrift, this adds a disable_tls12 option to ThriftServer
and ThriftClient. This will be removed when
ssl_minimum_version=tlsv1.3 is supported.
Testing:
- Ran the backend tests with TLS checks (rpc-mgr-test, rpc-mgr-kerberized-test,
webserver-test, and thrift-server-test) on Ubuntu 18 and Ubuntu 20
- Added tests for tls_ciphersuites in rpc-mgr-test and thrift-server-test
- Ran a core test on Centos 7
- Ran a core test on Ubuntu 16
Change-Id: I6974dae7fb429599847165614adc4eaaf338f744
Reviewed-on: http://gerrit.cloudera.org:8080/18316
Reviewed-by: Wenzhe Zhou <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Cipher-specific BE tests fail on Ubuntu 18.04
> ---------------------------------------------
>
> Key: IMPALA-10069
> URL: https://issues.apache.org/jira/browse/IMPALA-10069
> Project: IMPALA
> Issue Type: Bug
> Components: Backend
> Affects Versions: Impala 4.0.0
> Reporter: Laszlo Gaal
> Priority: Critical
> Labels: broken-build, ramp-up
>
> When BE tests run on Ubuntu 18.04, the following BE tests fail:
> * RpcMgrTest.BadCiphersTls
> * SslTest.BadCiphers
> * SslTest.MismatchedCiphers
> * Webserver.SslCipherSuite
> These failures were observed both in Docker-based and in standalone builds;
> see e.g.
> https://jenkins.impala.io/job/ubuntu-18.04-from-scratch/33/testReport/
> Since Ubuntu 18.04 builds are not (yet) part of the precommit test suite, the
> priority is only raised to P2 (critical).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
