Dan Burkert has posted comments on this change. Change subject: [security] add --rpc_tls_ciphers flag ......................................................................
Patch Set 6: (1 comment) http://gerrit.cloudera.org:8080/#/c/6055/3/src/kudu/security/tls_context.cc File src/kudu/security/tls_context.cc: PS3, Line 50: // below. The DH AES ciphers are not included si > Are you using a version of OpenSSL with the CBC multi-buffer AESNI optimiza OK I think I found a solution we can both be happy with. I changed it to use the "modern compatibility" list, which does prefer AES over ChaCha, since AES-NI is assumed. In addition, I added the AES ciphers from the "intermediate compatibility" list which are required to maintain compatibility with RHEL 6.5. This has the disadvantage of not corresponding exactly to one of the lists, but in practice it should be more secure than using the intermediate list and reordering to prefer AES. It's also shorter and easier to understand, since it includes far fewer variants. -- To view, visit http://gerrit.cloudera.org:8080/6055 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I050e2295041a98fe2c3118c6258b910423bd3816 Gerrit-PatchSet: 6 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Dan Burkert <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-HasComments: Yes
