[
https://issues.apache.org/jira/browse/IMPALA-14625?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jason Fehr updated IMPALA-14625:
--------------------------------
Description:
OpenSSL has different behavior for the SSL_CTX_set_ciphersuites() function
between OpenSSL 1.1.1 and 3.x. The OpenSSL docs say invalid ciphersuites
passed to this function will be ignored. On OpenSSL 3.x, that is accurate. On
OpenSSL 1.1.1, the SSL_CTX_set_ciphersuites() function returns an error. This
situation results in Impala failing to start with an error like:
{noformat}
F20251211 13:42:38.463414 1125299 impalad-main.cc:78] Could not build
messenger: Runtime error: failed to set TLSv1.3 ciphers:
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:foobar:
error:1426E0B9:SSL routines:ciphersuite_cb:no cipher
match:../ssl/ssl_ciph.c:1294
{noformat}
This error is confusing since some ciphersuites are valid. Need to provide
better a error message.
Possible solutions:
1. Update the error message in
[tls_context.cc|https://github.com/apache/impala/blob/9d112dae23870b6729473047da94f1bc0ea89ceb/be/src/kudu/security/tls_context.cc#L277]
to be "failed to set TLSv1.3 ciphers, ensure this list contains only TLS v1.3
ciphersuites and does not contain any TLS v1.2 ciphersuites: $0"
2. Parse the provided list of TLS v1.3 ciphersuites and use the OpenSSL API to
check if each ciphersuite is a valid TLS v1.3 ciphersuite.
was:
OpenSSL has different behavior for the SSL_CTX_set_ciphersuites() function
between OpenSSL 1.1.1 and 3.x. The OpenSSL docs say invalid ciphersuites
passed to this function will be ignored. On OpenSSL 3.x, that is accurate. On
OpenSSL 1.1.1, the SSL_CTX_set_ciphersuites() function returns an error. This
situation results in Impala failing to start with an error like:
{noformat}
F20251211 13:42:38.463414 1125299 impalad-main.cc:78] Could not build
messenger: Runtime error: failed to set TLSv1.3 ciphers:
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:foobar:
error:1426E0B9:SSL routines:ciphersuite_cb:no cipher
match:../ssl/ssl_ciph.c:1294
{noformat}
This error is confusing since some ciphersuites are valid. Need to provide
better a error message.
> Startup Failure on Invalid TLS v1.3 CipherSuite and OpenSSL 1.1.1
> -----------------------------------------------------------------
>
> Key: IMPALA-14625
> URL: https://issues.apache.org/jira/browse/IMPALA-14625
> Project: IMPALA
> Issue Type: Improvement
> Reporter: Jason Fehr
> Priority: Critical
>
> OpenSSL has different behavior for the SSL_CTX_set_ciphersuites() function
> between OpenSSL 1.1.1 and 3.x. The OpenSSL docs say invalid ciphersuites
> passed to this function will be ignored. On OpenSSL 3.x, that is accurate.
> On OpenSSL 1.1.1, the SSL_CTX_set_ciphersuites() function returns an error.
> This situation results in Impala failing to start with an error like:
> {noformat}
> F20251211 13:42:38.463414 1125299 impalad-main.cc:78] Could not build
> messenger: Runtime error: failed to set TLSv1.3 ciphers:
> TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:foobar:
> error:1426E0B9:SSL routines:ciphersuite_cb:no cipher
> match:../ssl/ssl_ciph.c:1294
> {noformat}
> This error is confusing since some ciphersuites are valid. Need to provide
> better a error message.
> Possible solutions:
> 1. Update the error message in
> [tls_context.cc|https://github.com/apache/impala/blob/9d112dae23870b6729473047da94f1bc0ea89ceb/be/src/kudu/security/tls_context.cc#L277]
> to be "failed to set TLSv1.3 ciphers, ensure this list contains only TLS
> v1.3 ciphersuites and does not contain any TLS v1.2 ciphersuites: $0"
> 2. Parse the provided list of TLS v1.3 ciphersuites and use the OpenSSL API
> to check if each ciphersuite is a valid TLS v1.3 ciphersuite.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
