Hello Alexey Serbin, Adar Dembo, Todd Lipcon,
I'd like you to do a code review. Please visit
http://gerrit.cloudera.org:8080/8286
to review the following change.
Change subject: KUDU-2190: Strengthen default webserver TLS ciphers
......................................................................
KUDU-2190: Strengthen default webserver TLS ciphers
This commit adds two new advanced flags: 'webserver-tls-ciphers' and
'webserver-tls-min-protocol', which can be configured to change the
webserver's list of available ciphers and TLS protocol version,
respectively. They work exactly the same as the existing
'rpc-tls-ciphers' and 'rpc-tls-min-protocol' flags which apply to KRPC.
In addition, this commit changes the default cipher suite exposed by the
webserver: instead of using the platform's default OpenSSL cipher suite,
which can be insecure on older platforms, it uses the same suite we've
been using succesfully with KRPC.
Testing: there are no automated tests provided, but I have manually
verified that the webserver no longer advertises 3DES and RC4 ciphers
using a script modified from [1].
[1]: https://superuser.com/a/224263
Change-Id: I9169e5dc30ba52251347241dca4c1ca490f581c9
---
M src/kudu/server/webserver.cc
M src/kudu/server/webserver_options.cc
M src/kudu/server/webserver_options.h
M thirdparty/vars.sh
4 files changed, 30 insertions(+), 1 deletion(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/86/8286/1
--
To view, visit http://gerrit.cloudera.org:8080/8286
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I9169e5dc30ba52251347241dca4c1ca490f581c9
Gerrit-Change-Number: 8286
Gerrit-PatchSet: 1
Gerrit-Owner: Dan Burkert <[email protected]>
Gerrit-Reviewer: Adar Dembo <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Todd Lipcon <[email protected]>
