Zoltan Borok-Nagy has uploaded a new patch set (#2). ( http://gerrit.cloudera.org:8080/20329 )
Change subject: IMPALA-11195: Disable SSL session renegotiations ...................................................................... IMPALA-11195: Disable SSL session renegotiations This commit updates the second Thrift 0.16.0 patch. Earlier version of that patch didn't do the job correctly when OpenSSL 1.0.2 was being used. In OpenSSL 1.0.2 we need to set the flag SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS in the SSL object *after* the handshake has happened. The earlier patch set the flag right after SSL_new(), and before SSL_accept(). OpenSSL has a bug that resets the flags in SSL_accept(), making the earlier patch ineffective. This commit updates the Thrift patch to correctly set the flag via a callback function. Instead of adding a new patch file under the thrift-0.16.0-patches directory I chose to fix the original patch so it won't get copied around unnecessarily. This patch also raises a compile-time error when it detects an OpenSSL version that is vulnerable to CVE-2009-3555 and we cannot do anything about it, i.e. the old flag does not exist anymote, and the new flag is yet to exist. This means OpenSSL versions between 1.1.0 and 1.1.0g (inclusive). Change-Id: Ia39078f1497ece36660ed6224f6cbadbfdf71d82 --- M source/thrift/thrift-0.16.0-patches/0002-IMPALA-11195-Disable-SSL-renegotiations.patch 1 file changed, 34 insertions(+), 23 deletions(-) git pull ssh://gerrit.cloudera.org:29418/native-toolchain refs/changes/29/20329/2 -- To view, visit http://gerrit.cloudera.org:8080/20329 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: native-toolchain Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ia39078f1497ece36660ed6224f6cbadbfdf71d82 Gerrit-Change-Number: 20329 Gerrit-PatchSet: 2 Gerrit-Owner: Zoltan Borok-Nagy <[email protected]>
