Henry Robinson has posted comments on this change. Change subject: rpc: allow setting --rpc_tls_min_protocol on older RHEL versions ......................................................................
Patch Set 2: (1 comment) http://gerrit.cloudera.org:8080/#/c/7821/2/src/kudu/security/tls_context.cc File src/kudu/security/tls_context.cc: PS2, Line 71: 0x10000000U Here is a fun thing I discovered: henry@hnr-optiplex:/data/henry/src/cloudera/impala-toolchain/openssl-1.0.0s/include (master) $ grep -r 0x10000000L * openssl/ssl.h:# define SSL_OP_PKCS1_CHECK_2 0x10000000L henry@hnr-optiplex:/data/henry/src/cloudera/impala-toolchain/openssl-1.0.0s/include (master) $ cd ../../openssl-1.0.2l/include/ henry@hnr-optiplex:/data/henry/src/cloudera/impala-toolchain/openssl-1.0.2l/include $ grep -r 0x10000000L * openssl/ssl.h:# define SSL_OP_NO_TLSv1_1 0x10000000L In OpenSSL 1.0.0, the constant that became SSL_OP_NO_TLSv1_1 in 1.0.1 was already in use for an esoteric option that messes with the cryptographic protocol for fault injection (deprecated in 1.0.1). I can't recall enough about your requirements to puzzle through whether this is a real problem for you, but theoretically it does mean that anyone linked against 1.0.0 that tries to set --rpc_tls_min_protocol=tlsv1.1 will get some unexpected behaviour. IIRC, Kudu isn't expected to work against 1.0.0 anyhow, so this may be an academic issue for you. In Impala, we're probably going to have to use SSLeay() to detect the OpenSSL version at runtime. -- To view, visit http://gerrit.cloudera.org:8080/7821 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ic61f31788d63072fae609c6a2186e52d5e2467b7 Gerrit-PatchSet: 2 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Dan Burkert <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Henry Robinson <[email protected]> Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-HasComments: Yes
