[jira] [Commented] (KUDU-2871) TLS 1.3 not supported by krpc

Wed, 07 Apr 2021 07:54:55 -0700 


    [ 
https://issues.apache.org/jira/browse/KUDU-2871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17316393#comment-17316393
 ] 

ASF subversion and git services commented on KUDU-2871:
-------------------------------------------------------

Commit 0e1a1545b827d9a3d5d50fd3d54f60bdea83f40c in kudu's branch 
refs/heads/master from Alexey Serbin
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=0e1a154 ]

KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

With this patch, Kudu Java client is able to talk TLSv1.3 to the server
side.  Essentially, this is about adding TLSv1.3 ciphers into the list
of preferred cipher suites in Negotiator.java and sending a chunk of
data produced by the final TLSv1.3 handshake iteration to the server
when the client senses that the TLS handshake is done.

Prior to this patch, Kudu Java client didn't support TLSv1.3 for RPC
because:
  * It didn't have ciphers required for TLSv1.3
  * It didn't send back the last chunk of data to the server side
    in the end of the TLS handshake process

The former is crucial to allow Kudu Java clients of prior versions
talking with newer, TLSv1.3-capable Kudu servers.  In other words,
TLSv1.2 is the highest protocol version that Kudu Java clients of prior
versions are able to use even if talking to newer Kudu servers which
are now capable talking TLSv1.3.

This patch also contains a new test scenario to verify the functionality
of TLSv1.3-enabled RPC between a Kudu Java client and a Kudu cluster.
The newly added scenario runs only if both the JVM and the node's
OpenSSL library support TLSv1.3.

Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Reviewed-on: http://gerrit.cloudera.org:8080/17245
Tested-by: Alexey Serbin <aser...@cloudera.com>
Reviewed-by: Grant Henke <granthe...@apache.org>


> TLS 1.3 not supported by krpc
> -----------------------------
>
>                 Key: KUDU-2871
>                 URL: https://issues.apache.org/jira/browse/KUDU-2871
>             Project: Kudu
>          Issue Type: Bug
>          Components: master, rpc, security, tserver
>    Affects Versions: 1.8.0, 1.9.0, 1.9.1
>            Reporter: Todd Lipcon
>            Assignee: Alexey Serbin
>            Priority: Major
>
> The TLS negotiation in our RPC protocol assumes a whole number of round trips 
> between client and server. For TLS 1.3, the exchange has 1.5 round trips (the 
> client is the last sender rather than the server) which breaks negotiation. 
> Most tests thus fail with OpenSSL 1.1.1.
> We should temporarily disable TLS 1.3 and then fix RPC to support this.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to