[kudu-CR] WIP: generate self-signed certs on server startup

Wed, 08 Feb 2017 15:18:26 -0800 

Hello Dan Burkert, Jean-Daniel Cryans,

I'd like you to do a code review.  Please visit

    http://gerrit.cloudera.org:8080/5948

to review the following change.

Change subject: WIP: generate self-signed certs on server startup
......................................................................

WIP: generate self-signed certs on server startup

Before the servers get certs signed by the internal CA, we still need to
have some kind of cert to support GSSAPI-authenticated connections. This
patch makes the servers generate self-signed certs, and changes the RPC
layer to check whether the TlsContext has a cert in order to decide
whether to advertise TLS.

This also changes a bit of code to generate proper self-signed certs.
Self-signed certs need to have the 'keyCertSign' attribute set, or else
OpenSSL won't properly recognize the self-signature.

With this patch, TLS-capable clients and servers will now encrypt
traffic. I checked that using 'kudu table list' and tshark with a
vanilla configuration kudu-master running locally.

WIP:
- could do with some testing
- may not want to enable TLS by default until we have the localhost
  'no-encryption' optimization in place

Change-Id: I75f421406fb802ea42a2f8823ee3e7404e1643e1
---
M src/kudu/rpc/client_negotiation.cc
M src/kudu/rpc/messenger.cc
M src/kudu/rpc/messenger.h
M src/kudu/rpc/negotiation.cc
M src/kudu/security/ca/cert_management.cc
M src/kudu/security/ca/cert_management.h
M src/kudu/security/server_cert_manager.cc
M src/kudu/security/server_cert_manager.h
M src/kudu/server/server_base.cc
9 files changed, 130 insertions(+), 42 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/48/5948/1
-- 
To view, visit http://gerrit.cloudera.org:8080/5948
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I75f421406fb802ea42a2f8823ee3e7404e1643e1
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
Gerrit-Reviewer: Jean-Daniel Cryans <[email protected]>

Reply via email to