Henry Robinson created IMPALA-5849:
--------------------------------------
Summary: Don't disable TLS configuration at compile-time even with
OpenSSL 1.0.0
Key: IMPALA-5849
URL: https://issues.apache.org/jira/browse/IMPALA-5849
Project: IMPALA
Issue Type: Improvement
Components: Backend
Affects Versions: Impala 2.10.0
Reporter: Henry Robinson
Assignee: Henry Robinson
IMPALA-5800, IMPALA-5775 and IMPALA-5743 added TLS configuration to Impala and
Squeasel. Since Impala is often built against different versions of OpenSSL
(with different TLS capabilities), we used compile-time definitions to avoid
using symbols from OpenSSL 1.0.1 that weren't available.
This works great if we can ensure that the machine on which Impala is built is
the same environment as the one on which it executes, but we have discovered
that the installed version of OpenSSL can vary between minor releases of Linux
distributions.
It appears possible to write the support for TLS1.1+ in terms of symbols that
are available in OpenSSL 1.0.0 only. The only downside is that Impala can't
then tell whether or not the runtime supports TLS 1.2, and so the error
messages won't be quite as clear. However, the benefit of a single binary and
Thrift toolchain dependency for all supported versions of OpenSSL is well worth
it.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
