Zoltan Borok-Nagy has uploaded this change for review. ( http://gerrit.cloudera.org:8080/18346
Change subject: IMPALA-11195 (part 1): Disable SSL session renegotiations in the web server ...................................................................... IMPALA-11195 (part 1): Disable SSL session renegotiations in the web server SSL renegotiation has had a couple of CVEs in the past. This patch disables TLS ciphers renegotiation for TLSv1.2 and prior protocol versions in the Impala web server. Renegotiation is not possible in a TLSv1.3 connection. Disabling renegotiations on the Thrift servers require Thrift-side changes, hence this is handled in the native-toolchain. In case of OpenSSL version 1.1.0h and newer, we are using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations. In case of OpenSSL version prior to 1.1.0a, the undocumented flag SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used. The moot point is the version interval between 1.1.0a and 1.1.0g (inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer available from the application side, but SSL_OP_NO_RENEGOTIATION is not yet present. So, if a server binary has been compiled with OpenSSL in the specified version range, it's still advertising the renegotiation option, even if it's run against OpenSSL 1.1.0h or later versions. Change-Id: I1afbd6dfcad6b8fbc2e82763222996fabba207cf --- M be/src/thirdparty/squeasel/squeasel.c 1 file changed, 21 insertions(+), 0 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/46/18346/1 -- To view, visit http://gerrit.cloudera.org:8080/18346 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I1afbd6dfcad6b8fbc2e82763222996fabba207cf Gerrit-Change-Number: 18346 Gerrit-PatchSet: 1 Gerrit-Owner: Zoltan Borok-Nagy <[email protected]>
