[Impala-ASF-CR] IMPALA-6418: Find a reliable way to detect supported TLS versions

Mon, 22 Jan 2018 11:36:07 -0800 

Michael Ho has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/9060 )

Change subject: IMPALA-6418: Find a reliable way to detect supported TLS 
versions
......................................................................


Patch Set 3:

(2 comments)

http://gerrit.cloudera.org:8080/#/c/9060/3/be/src/rpc/thrift-server.cc
File be/src/rpc/thrift-server.cc:

http://gerrit.cloudera.org:8080/#/c/9060/3/be/src/rpc/thrift-server.cc@94
PS3, Line 94:   bool is_openssl_1_0_0_or_lower = (max_supported_tls_version < 
TLS1_1_VERSION);
            :   if (is_openssl_1_0_0_or_lower) return (protocol == TLSv1_0_plus 
|| protocol == TLSv1_0)
if (max_supported_tls_version < TLS_1_VERSION) {
   return protocol == TLSv1_0_plus || protocol == TLSv1_0;
}


http://gerrit.cloudera.org:8080/#/c/9060/3/be/src/rpc/thrift-server.cc@97
PS3, Line 97: // All other versions supported by OpenSSL 1.0.1 and later.
The old code made the assumption that Open SSL 1.0.1 or later will always 
support TLS 1.1 and TLS 1.2.

The new code is inferring the version by checking the max TLS version supported 
but this may break if there exists a version of the library which supports TLS 
1.1 but not TLS 1.2. I am not entirely sure if such a version exists but we 
don't have proof that it doesn't either.

I wonder if the code will be more robust if we do the following instead:

switch (max_supported_tls_version) {
   case TLS1_VERSION:
       return protocol == TLSv1_0_plus || protocol == TLSv1_0;
   case TLS1_1_VERSION:
       return protocol != TLSv1_2_plus && protocol != TLS_v1_2_0;
   default:
       return true;
}



--
To view, visit http://gerrit.cloudera.org:8080/9060
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idd40219b7be5889b3c24457acdb79a28bdcd9bfb
Gerrit-Change-Number: 9060
Gerrit-PatchSet: 3
Gerrit-Owner: Sailesh Mukil <sail...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <d...@cloudera.com>
Gerrit-Reviewer: Michael Ho <k...@cloudera.com>
Gerrit-Reviewer: Philip Zeyliger <phi...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sail...@cloudera.com>
Gerrit-Comment-Date: Mon, 22 Jan 2018 19:35:52 +0000
Gerrit-HasComments: Yes

Reply via email to