Impala Public Jenkins has submitted this change and it was merged. Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2 ......................................................................
IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2 The shell uses Thrift's TSSLSocket to negotiate secure connections to Impala. This socket uses a variable SSL_VERSION to determine which SSL and TLS protocol versions it will connect to. SSL_VERSION was hardcoded to be PROTOCOL_TLSv1, which only supports TLSv1 servers and no other protocol version. Change the allowed version to be PROTOCOL_SSLv23, which supports any TLS or SSL protocol. We rely on the server not to allow SSLv2 or v3 connections. Testing: Added a new custom cluster test to confirm that the shell can connect to a TLSv1.2 cluster. Confirmed that the test is correctly skipped on machines with an old version of OpenSSL that does not support TLSv1.2. Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0 Reviewed-on: http://gerrit.cloudera.org:8080/7675 Reviewed-by: Tim Armstrong <[email protected]> Tested-by: Impala Public Jenkins --- M shell/TSSLSocketWithWildcardSAN.py M tests/custom_cluster/test_client_ssl.py M tests/util/thrift_util.py 3 files changed, 41 insertions(+), 2 deletions(-) Approvals: Impala Public Jenkins: Verified Tim Armstrong: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/7675 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: merged Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0 Gerrit-PatchSet: 4 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry Robinson <[email protected]> Gerrit-Reviewer: Henry Robinson <[email protected]> Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Tim Armstrong <[email protected]>
