[
https://issues.apache.org/jira/browse/IMPALA-5696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Henry Robinson resolved IMPALA-5696.
------------------------------------
Resolution: Fixed
Fix Version/s: Impala 2.10.0
https://github.com/apache/incubator-impala/commit/68df21b426feca8e7a458152d8dca1b7e1335bcb
IMPALA-5696: Enable cipher configuration when using TLS / Thrift
The 'cipher suite' is a description of the set of algorithms used by SSL
and TLS to execute key exchange, encryption, message authentication, and
random number generation functions. SSL implementations allow the cipher
suite to be configured so that ciphers may be removed from the whitelist
if they are shown to be weak.
* Add a flag --ssl_cipher_list which controls cipher selection for both
thrift servers and clients. Default is blank, which means use all
available cipher suites.
* Add ThriftServerBuilder to simplify construction of
ThriftServers (whose constructors were otherwise getting very long).
Testing: new tests added to thrift-server-test. Test cases added follow:
* A client cannot connect to a server which does not have any ciphers in
common with it.
* If ciphers are identical on clients and servers, that ssl connections
can be made.
* Bad cipher strings lead to errors on both client and server.
> Enable cipher configuration when using TLS w/Thrift
> ---------------------------------------------------
>
> Key: IMPALA-5696
> URL: https://issues.apache.org/jira/browse/IMPALA-5696
> Project: IMPALA
> Issue Type: Improvement
> Components: Distributed Exec
> Affects Versions: Impala 2.6.0, Impala 2.7.0, Impala 2.8.0, Impala 2.9.0
> Reporter: Henry Robinson
> Assignee: Henry Robinson
> Fix For: Impala 2.10.0
>
>
> Thrift's {{TSSLSocketFactory}} has a {{cipher()}} method that we can use to
> configure the ciphers used by OpenSSL. We just need to connect it up to a
> flag that the user provides.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
