[native-toolchain-CR](CDH-7.1.8.x) IMPALA-11195: Disable SSL session renegotiation

Tue, 05 Apr 2022 03:12:43 -0700 

Zoltan Borok-Nagy has uploaded this change for review. ( 
http://gerrit.cloudera.org:8080/18382


Change subject: IMPALA-11195: Disable SSL session renegotiation
......................................................................

IMPALA-11195: Disable SSL session renegotiation

This patch disables TLS ciphers renegotiation for TLSv1.2 and prior
protocol versions. Renegotiation is not possible in a TLSv1.3
connection.

In case of OpenSSL version 1.1.0h and newer, we are
using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations. In
case of OpenSSL version prior to 1.1.0a, the undocumented flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used.

The moot point is the version interval between 1.1.0a and 1.1.0g
(inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer
available from the application side, but SSL_OP_NO_RENEGOTIATION is not
yet present. So, if a server binary has been compiled with OpenSSL in
the specified version range, it's still advertising the renegotiation
option, even if it's run against OpenSSL 1.1.0h or later versions.

Change-Id: If3e12b6394134daf9c936268d4e60da6b4f3804e
(cherry picked from commit be219b7c627f2db31c1928ee079160a2855ad3df)
---
M buildall.sh
A 
source/thrift/thrift-0.11.0-patches/0003-THRIFT-2087-Python-compiler-replace-non-utf-8-char-w.patch
A 
source/thrift/thrift-0.11.0-patches/0004-THRIFT-5303-Fix-missing-error-handling-in-using-PyUn.patch
A 
source/thrift/thrift-0.11.0-patches/0005-IMPALA-11195-Disable-SSL-renegotiations.patch
A 
source/thrift/thrift-0.9.3-patches/0009-IMPALA-11195-Disable-SSL-renegotiations.patch
5 files changed, 165 insertions(+), 2 deletions(-)



  git pull ssh://gerrit.cloudera.org:29418/native-toolchain 
refs/changes/82/18382/1
--
To view, visit http://gerrit.cloudera.org:8080/18382
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: native-toolchain
Gerrit-Branch: CDH-7.1.8.x
Gerrit-MessageType: newchange
Gerrit-Change-Id: If3e12b6394134daf9c936268d4e60da6b4f3804e
Gerrit-Change-Number: 18382
Gerrit-PatchSet: 1
Gerrit-Owner: Zoltan Borok-Nagy <borokna...@cloudera.com>

Reply via email to