Alexey Serbin has uploaded this change for review. ( http://gerrit.cloudera.org:8080/17204
Change subject: KUDU-1926: disable TLS/SSL session renegotiation ...................................................................... KUDU-1926: disable TLS/SSL session renegotiation This patch disables TLS ciphers renegotiation for TLSv1.2 and prior. In case of OpenSSL version 1.1.0h and newer, we are using SSL_OP_NO_RENEGOTIATION option to all renegotiation. In case of OpenSSL version prior to 1.1.0a, the undocumented SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is used. See [1], [2] and [3] for more context. The moot point is the version interval between 1.1.0a and 1.1.0g: the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is already gone, but SSL_OP_NO_RENEGOTIATION is not yet present. [1] https://www.openssl.org/docs/man1.1.0/man3/SSL_set_options.html [2] https://github.com/openssl/openssl/blob/f9398cc2b31858ddaaea3f5cfec2fce7f9b90347/CHANGES#L1038-L1049 [3] https://github.com/openssl/openssl/issues/4739 Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1 --- M src/kudu/security/tls_context.cc 1 file changed, 26 insertions(+), 0 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/04/17204/1 -- To view, visit http://gerrit.cloudera.org:8080/17204 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1 Gerrit-Change-Number: 17204 Gerrit-PatchSet: 1 Gerrit-Owner: Alexey Serbin <aser...@cloudera.com>
