[Impala-ASF-CR] IMPALA-14452: Fix impala-shell SSL with Python 3.12

Fri, 17 Oct 2025 14:59:49 -0700 

Michael Smith has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/23519 )

Change subject: IMPALA-14452: Fix impala-shell SSL with Python 3.12
......................................................................


Patch Set 12:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/23519/12/shell/impala_shell/TSSLSocketWithFixes.py
File shell/impala_shell/TSSLSocketWithFixes.py:

http://gerrit.cloudera.org:8080/#/c/23519/12/shell/impala_shell/TSSLSocketWithFixes.py@59
PS12, Line 59:         ssl_version = ssl.PROTOCOL_TLS_CLIENT
Error message changes when we set this. It enables check_hostname in OpenSSL, 
which causes TSocket.open() to fail before TSSLSocket calls _validate_callback.

Thrift itself swallows the detailed exception from SSL in 
https://github.com/apache/thrift/blob/v0.22.0/lib/py/src/transport/TSocket.py#L143-L149:

    ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate 
verify failed: IP address mismatch, certificate is not valid for '::1'. 
(_ssl.c:1131)

I don't see a clean way to improve this without updates to Thrift; it would be 
a lot of overriding in TSSLSocket and TSocket. It's apparently a long-standing 
issue - https://issues.apache.org/jira/browse/THRIFT-792 - that is made worse 
with fixes for Python 3.12.

I've updated this case to only use PROTOCOL_TLS_CLIENT for Python 3.12+ to 
avoid regressing the error message in earlier versions.



--
To view, visit http://gerrit.cloudera.org:8080/23519
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I046a9010ac4cb1f7d705935054b306cddaf8bdc7
Gerrit-Change-Number: 23519
Gerrit-PatchSet: 12
Gerrit-Owner: Michael Smith <[email protected]>
Gerrit-Reviewer: Csaba Ringhofer <[email protected]>
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>
Gerrit-Reviewer: Joe McDonnell <[email protected]>
Gerrit-Reviewer: Laszlo Gaal <[email protected]>
Gerrit-Reviewer: Michael Smith <[email protected]>
Gerrit-Comment-Date: Fri, 17 Oct 2025 21:59:35 +0000
Gerrit-HasComments: Yes

Reply via email to