[native-toolchain-CR] IMPALA-11195: Disable SSL session renegotiations

Mon, 14 Aug 2023 07:15:21 -0700 

Zoltan Borok-Nagy has submitted this change and it was merged. ( 
http://gerrit.cloudera.org:8080/20329 )

Change subject: IMPALA-11195: Disable SSL session renegotiations
......................................................................

IMPALA-11195: Disable SSL session renegotiations

This commit updates the second Thrift 0.16.0 patch. Earlier version of
that patch didn't do the job correctly when OpenSSL 1.0.2 was being
used. In OpenSSL 1.0.2 we need to set the flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS in the SSL object *after* the
handshake has happened.

The earlier patch set the flag right after SSL_new(), and before
SSL_accept(). OpenSSL has a bug that resets the flags in SSL_accept(),
making the earlier patch ineffective.

This commit updates the Thrift patch to correctly set the flag via
a callback function.

Instead of adding a new patch file under the thrift-0.16.0-patches
directory I chose to fix the original patch so it won't get copied
around unnecessarily.

This patch also raises a compile-time error when it detects an
OpenSSL version that is vulnerable to CVE-2009-3555 and we cannot
do anything about it, i.e. the old flag does not exist anymote,
and the new flag is yet to exist. This means OpenSSL versions
between 1.1.0 and 1.1.0g (inclusive).

Change-Id: Ia39078f1497ece36660ed6224f6cbadbfdf71d82
Reviewed-on: http://gerrit.cloudera.org:8080/20329
Reviewed-by: Michael Smith <[email protected]>
Reviewed-by: Laszlo Gaal <[email protected]>
Tested-by: Zoltan Borok-Nagy <[email protected]>
---
M 
source/thrift/thrift-0.16.0-patches/0002-IMPALA-11195-Disable-SSL-renegotiations.patch
1 file changed, 34 insertions(+), 23 deletions(-)

Approvals:
  Michael Smith: Looks good to me, but someone else must approve
  Laszlo Gaal: Looks good to me, approved
  Zoltan Borok-Nagy: Verified

--
To view, visit http://gerrit.cloudera.org:8080/20329
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: Ia39078f1497ece36660ed6224f6cbadbfdf71d82
Gerrit-Change-Number: 20329
Gerrit-PatchSet: 3
Gerrit-Owner: Zoltan Borok-Nagy <[email protected]>
Gerrit-Reviewer: Laszlo Gaal <[email protected]>
Gerrit-Reviewer: Michael Smith <[email protected]>
Gerrit-Reviewer: Zoltan Borok-Nagy <[email protected]>

Reply via email to