[
https://issues.apache.org/jira/browse/IMPALA-11195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17754885#comment-17754885
]
ASF subversion and git services commented on IMPALA-11195:
----------------------------------------------------------
Commit ddcdfc2200c7d605b07d443ba911f89c48ecee39 in impala's branch
refs/heads/master from Zoltan Borok-Nagy
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=ddcdfc220 ]
IMPALA-11195: Disable SSL renegotiations for OpenSSL 1.0.2.
When OpenSSL 1.0.2 was being used Impala didn't disable SSL
renegotiations correctly. It wasn't enough setting the flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS right after SSL_new() as
due to an OpenSSL bug the SSL flags are getting reset in SSL_accept().
See https://github.com/openssl/openssl/discussions/21666
With this patch the followings happen depending on the OpenSSL versions:
* OpenSSL 1.0.2: we set the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag in
a callback function the same way as it is being set in various
open source projects
* OpenSSL 1.1.0h+: we set the SSL_OP_NO_RENEGOTIATION option in the
SSL_CTX object
* OpenSSL versions between the above two: we raise either compile-time
error (when compiled with such version) or runtime warning (when
Impala is running with such version)
This patch also upgrades the native toolchain version to have a Thrift
that is fixed the same way.
Testing:
* manually tested on CentOS 7.9 with
>openssl s_client -connect <host>:<port>
>R
Initially it outputs that "Secure Renegotiation IS supported" because
we can only set the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag after the
handshake, but then prompting "R" doesn't do the renegotiation.
Without these changes "R" renegotiates.
Change-Id: I6fd6a8dedcbca8f50a16dbe68ebd8303e3e5aed1
Reviewed-on: http://gerrit.cloudera.org:8080/20360
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Disable SSL session renegotiation
> ---------------------------------
>
> Key: IMPALA-11195
> URL: https://issues.apache.org/jira/browse/IMPALA-11195
> Project: IMPALA
> Issue Type: Bug
> Components: Backend
> Reporter: Zoltán Borók-Nagy
> Assignee: Zoltán Borók-Nagy
> Priority: Major
> Fix For: Impala 4.1.0
>
>
> SSL renegotiations has had a couple of CVEs in the past. We should figure out
> how to disable it.
> Kudu disabled SSL renegotations in KUDU-1926, so we can do something similar.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
