Henry Robinson resolved IMPALA-5696.
       Resolution: Fixed
    Fix Version/s: Impala 2.10.0


IMPALA-5696: Enable cipher configuration when using TLS / Thrift
The 'cipher suite' is a description of the set of algorithms used by SSL
and TLS to execute key exchange, encryption, message authentication, and
random number generation functions. SSL implementations allow the cipher
suite to be configured so that ciphers may be removed from the whitelist
if they are shown to be weak.

* Add a flag --ssl_cipher_list which controls cipher selection for both
  thrift servers and clients. Default is blank, which means use all
  available cipher suites.
* Add ThriftServerBuilder to simplify construction of
  ThriftServers (whose constructors were otherwise getting very long).

Testing: new tests added to thrift-server-test. Test cases added follow:

* A client cannot connect to a server which does not have any ciphers in
  common with it.
* If ciphers are identical on clients and servers, that ssl connections
  can be made.
* Bad cipher strings lead to errors on both client and server.

> Enable cipher configuration when using TLS w/Thrift
> ---------------------------------------------------
>                 Key: IMPALA-5696
>                 URL: https://issues.apache.org/jira/browse/IMPALA-5696
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Distributed Exec
>    Affects Versions: Impala 2.6.0, Impala 2.7.0, Impala 2.8.0, Impala 2.9.0
>            Reporter: Henry Robinson
>            Assignee: Henry Robinson
>             Fix For: Impala 2.10.0
> Thrift's {{TSSLSocketFactory}} has a {{cipher()}} method that we can use to 
> configure the ciphers used by OpenSSL. We just need to connect it up to a 
> flag that the user provides. 

This message was sent by Atlassian JIRA

Reply via email to