[ https://issues.apache.org/jira/browse/IMPALA-5696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Henry Robinson resolved IMPALA-5696. ------------------------------------ Resolution: Fixed Fix Version/s: Impala 2.10.0 https://github.com/apache/incubator-impala/commit/68df21b426feca8e7a458152d8dca1b7e1335bcb IMPALA-5696: Enable cipher configuration when using TLS / Thrift The 'cipher suite' is a description of the set of algorithms used by SSL and TLS to execute key exchange, encryption, message authentication, and random number generation functions. SSL implementations allow the cipher suite to be configured so that ciphers may be removed from the whitelist if they are shown to be weak. * Add a flag --ssl_cipher_list which controls cipher selection for both thrift servers and clients. Default is blank, which means use all available cipher suites. * Add ThriftServerBuilder to simplify construction of ThriftServers (whose constructors were otherwise getting very long). Testing: new tests added to thrift-server-test. Test cases added follow: * A client cannot connect to a server which does not have any ciphers in common with it. * If ciphers are identical on clients and servers, that ssl connections can be made. * Bad cipher strings lead to errors on both client and server. > Enable cipher configuration when using TLS w/Thrift > --------------------------------------------------- > > Key: IMPALA-5696 > URL: https://issues.apache.org/jira/browse/IMPALA-5696 > Project: IMPALA > Issue Type: Improvement > Components: Distributed Exec > Affects Versions: Impala 2.6.0, Impala 2.7.0, Impala 2.8.0, Impala 2.9.0 > Reporter: Henry Robinson > Assignee: Henry Robinson > Fix For: Impala 2.10.0 > > > Thrift's {{TSSLSocketFactory}} has a {{cipher()}} method that we can use to > configure the ciphers used by OpenSSL. We just need to connect it up to a > flag that the user provides. -- This message was sent by Atlassian JIRA (v6.4.14#64029)