Dan Burkert has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/8286 )
Change subject: KUDU-2190: Strengthen default webserver TLS ciphers ...................................................................... KUDU-2190: Strengthen default webserver TLS ciphers This commit adds two new advanced flags: 'webserver-tls-ciphers' and 'webserver-tls-min-protocol', which can be configured to change the webserver's list of available ciphers and TLS protocol version, respectively. They work exactly the same as the existing 'rpc-tls-ciphers' and 'rpc-tls-min-protocol' flags which apply to KRPC. In addition, this commit changes the default cipher suite exposed by the webserver: instead of using the platform's default OpenSSL cipher suite, which can be insecure on older platforms, it uses the same suite we've been using succesfully with KRPC. Testing: there are no automated tests provided, but I have manually verified that the webserver no longer advertises 3DES and RC4 ciphers using a script modified from [1]. [1]: https://superuser.com/a/224263 Change-Id: I9169e5dc30ba52251347241dca4c1ca490f581c9 Reviewed-on: http://gerrit.cloudera.org:8080/8286 Reviewed-by: Alexey Serbin <[email protected]> Tested-by: Kudu Jenkins --- M src/kudu/server/webserver.cc M src/kudu/server/webserver_options.cc M src/kudu/server/webserver_options.h M thirdparty/vars.sh 4 files changed, 30 insertions(+), 1 deletion(-) Approvals: Alexey Serbin: Looks good to me, approved Kudu Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/8286 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I9169e5dc30ba52251347241dca4c1ca490f581c9 Gerrit-Change-Number: 8286 Gerrit-PatchSet: 2 Gerrit-Owner: Dan Burkert <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon <[email protected]>
