Dan Burkert has submitted this change and it was merged. Change subject: [security] add channel binding to krpc ......................................................................
[security] add channel binding to krpc Channel binding prevents a MITM attack when using unauthenticated TLS with Kerberos. The channel binding codepath is exercised by the existing TLS + GSSAPI negotiation test, but I'm punting on testing that it protects against a MITM for now. Change-Id: Id73fceebfcb47c881c30f6904cfd6fc6d80f50b8 Reviewed-on: http://gerrit.cloudera.org:8080/5884 Reviewed-by: Todd Lipcon <t...@apache.org> Tested-by: Kudu Jenkins --- M docs/design-docs/rpc.md M src/kudu/rpc/client_negotiation.cc M src/kudu/rpc/client_negotiation.h M src/kudu/rpc/rpc_header.proto M src/kudu/rpc/sasl_common.cc M src/kudu/rpc/sasl_common.h M src/kudu/rpc/server_negotiation.cc M src/kudu/rpc/server_negotiation.h M src/kudu/security/ca/cert_management.cc M src/kudu/security/cert.cc M src/kudu/security/cert.h M src/kudu/security/openssl_util.cc M src/kudu/security/openssl_util.h M src/kudu/security/tls_handshake.cc M src/kudu/security/tls_socket.cc M src/kudu/security/tls_socket.h M src/kudu/util/status.cc 17 files changed, 369 insertions(+), 65 deletions(-) Approvals: Todd Lipcon: Looks good to me, approved Kudu Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/5884 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: merged Gerrit-Change-Id: Id73fceebfcb47c881c30f6904cfd6fc6d80f50b8 Gerrit-PatchSet: 7 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <t...@apache.org>