Zoltan Borok-Nagy has uploaded this change for review. ( http://gerrit.cloudera.org:8080/18382
Change subject: IMPALA-11195: Disable SSL session renegotiation ...................................................................... IMPALA-11195: Disable SSL session renegotiation This patch disables TLS ciphers renegotiation for TLSv1.2 and prior protocol versions. Renegotiation is not possible in a TLSv1.3 connection. In case of OpenSSL version 1.1.0h and newer, we are using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations. In case of OpenSSL version prior to 1.1.0a, the undocumented flag SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used. The moot point is the version interval between 1.1.0a and 1.1.0g (inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer available from the application side, but SSL_OP_NO_RENEGOTIATION is not yet present. So, if a server binary has been compiled with OpenSSL in the specified version range, it's still advertising the renegotiation option, even if it's run against OpenSSL 1.1.0h or later versions. Change-Id: If3e12b6394134daf9c936268d4e60da6b4f3804e (cherry picked from commit be219b7c627f2db31c1928ee079160a2855ad3df) --- M buildall.sh A source/thrift/thrift-0.11.0-patches/0003-THRIFT-2087-Python-compiler-replace-non-utf-8-char-w.patch A source/thrift/thrift-0.11.0-patches/0004-THRIFT-5303-Fix-missing-error-handling-in-using-PyUn.patch A source/thrift/thrift-0.11.0-patches/0005-IMPALA-11195-Disable-SSL-renegotiations.patch A source/thrift/thrift-0.9.3-patches/0009-IMPALA-11195-Disable-SSL-renegotiations.patch 5 files changed, 165 insertions(+), 2 deletions(-) git pull ssh://gerrit.cloudera.org:29418/native-toolchain refs/changes/82/18382/1 -- To view, visit http://gerrit.cloudera.org:8080/18382 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: native-toolchain Gerrit-Branch: CDH-7.1.8.x Gerrit-MessageType: newchange Gerrit-Change-Id: If3e12b6394134daf9c936268d4e60da6b4f3804e Gerrit-Change-Number: 18382 Gerrit-PatchSet: 1 Gerrit-Owner: Zoltan Borok-Nagy <borokna...@cloudera.com>