Sailesh Mukil has uploaded this change for review. ( http://gerrit.cloudera.org:8080/10529
Change subject: IMPALA-6990: TestClientSsl.test_tls_v12 failing due to Python SSL error ...................................................................... IMPALA-6990: TestClientSsl.test_tls_v12 failing due to Python SSL error Spent some more time looking at this and found that 'requests' wasn't the culprit. When we upgraded to thrift-0.9.3, the TSSLSocket.py logic changed quite a bit. Our RHEL7 machines come equipped with Python 2.7.5. Looking at these comments, that means that we'll be unable to create a 'SSLContext' but able to explicitly specify ciphers: https://github.com/apache/thrift/blob/master/lib/py/src/transport/TSSLSocket.py#L37-L41 # SSLContext is not available for Python < 2.7.9 _has_ssl_context = sys.hexversion >= 0x020709F0 # ciphers argument is not available for Python < 2.7.0 _has_ciphers = sys.hexversion >= 0x020700F0 If we cannot create a 'SSLContext', then we cannot use TLSv1.2 and have to use TLSv1: https://github.com/apache/thrift/blob/master/lib/py/src/transport/TSSLSocket.py#L48-L49 # For python >= 2.7.9, use latest TLS that both client and server # supports. # SSL 2.0 and 3.0 are disabled via ssl.OP_NO_SSLv2 and ssl.OP_NO_SSLv3. # For python < 2.7.9, use TLS 1.0 since TLSv1_X nor OP_NO_SSLvX is # unavailable. _default_protocol = ssl.PROTOCOL_SSLv23 if _has_ssl_context else \ ssl.PROTOCOL_TLSv1 Our custom cluster test forces the server to use TLSv1.2 and also forces a specific cipher: https://github.com/apache/impala/blob/master/tests/custom_cluster/test_client_ssl.py#L118-L119 So this combination of configuration values causes a failure in RHEL7 because we only allow a specific cipher which works with TLSv1.2, but the client cannot use TLSv1.2 due to the Python version as mentioned above. On systems lower than RHEL7, the machines come equipped with Python 2.6.6, which does not force the use of specific ciphers, so we get away without a failure. To fix this, we either need to change the Python version on RHEL 7 to be >= Python 2.7.9, or reduce the 'test_client_ssl' limitation to run TLSv1. The second option is the quickest, although not ideal, but it should at least unblock our builds while we can upgrade the AMIs for RHEL7. This patch does just that. Change-Id: I92c66ecaeb94b0c83ee6f1396c082709c21b3187 --- M tests/custom_cluster/test_client_ssl.py 1 file changed, 1 insertion(+), 2 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/29/10529/1 -- To view, visit http://gerrit.cloudera.org:8080/10529 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I92c66ecaeb94b0c83ee6f1396c082709c21b3187 Gerrit-Change-Number: 10529 Gerrit-PatchSet: 1 Gerrit-Owner: Sailesh Mukil <[email protected]>
