Will Berkeley has uploaded this change for review. ( http://gerrit.cloudera.org:8080/10264
Change subject: KUDU-2190: Strengthen default webserver TLS ciphers ...................................................................... KUDU-2190: Strengthen default webserver TLS ciphers This commit adds two new advanced flags: 'webserver-tls-ciphers' and 'webserver-tls-min-protocol', which can be configured to change the webserver's list of available ciphers and TLS protocol version, respectively. They work exactly the same as the existing 'rpc-tls-ciphers' and 'rpc-tls-min-protocol' flags which apply to KRPC. In addition, this commit changes the default cipher suite exposed by the webserver: instead of using the platform's default OpenSSL cipher suite, which can be insecure on older platforms, it uses the same suite we've been using succesfully with KRPC. Testing: there are no automated tests provided, but I have manually verified that the webserver no longer advertises 3DES and RC4 ciphers using a script modified from [1]. [1]: https://superuser.com/a/224263 Change-Id: I9169e5dc30ba52251347241dca4c1ca490f581c9 Reviewed-on: http://gerrit.cloudera.org:8080/8286 Reviewed-by: Alexey Serbin <[email protected]> Tested-by: Kudu Jenkins (cherry picked from commit 57b8b8fdf33b312ab4a5d70e98dfe5e98a491b17) --- M src/kudu/server/webserver.cc M src/kudu/server/webserver_options.cc M src/kudu/server/webserver_options.h M thirdparty/vars.sh 4 files changed, 30 insertions(+), 1 deletion(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/64/10264/1 -- To view, visit http://gerrit.cloudera.org:8080/10264 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: branch-1.5.x Gerrit-MessageType: newchange Gerrit-Change-Id: I9169e5dc30ba52251347241dca4c1ca490f581c9 Gerrit-Change-Number: 10264 Gerrit-PatchSet: 1 Gerrit-Owner: Will Berkeley <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]>
