Jason Fehr created IMPALA-14625:
-----------------------------------
Summary: Startup Failure on Invalid TLS v1.3 CipherSuite and
OpenSSL 1.1.1
Key: IMPALA-14625
URL: https://issues.apache.org/jira/browse/IMPALA-14625
Project: IMPALA
Issue Type: Improvement
Reporter: Jason Fehr
OpenSSL has different behavior for the SSL_CTX_set_ciphersuites() function
between OpenSSL 1.1.1 and 3.x. The OpenSSL docs say invalid ciphersuites
passed to this function will be ignored. On OpenSSL 3.x, that is accurate. On
OpenSSL 1.1.1, the SSL_CTX_set_ciphersuites() function returns an error. This
situation results in Impala failing to start with an error like:
{noformat}
F20251211 13:42:38.463414 1125299 impalad-main.cc:78] Could not build
messenger: Runtime error: failed to set TLSv1.3 ciphers:
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:foobar:
error:1426E0B9:SSL routines:ciphersuite_cb:no cipher
match:../ssl/ssl_ciph.c:1294
{noformat}
This error is confusing since some ciphersuites are valid. Need to provide
better a error message.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
