Hello Attila Bukor, Kudu Jenkins, Grant Henke,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/17204
to look at the new patch set (#2).
Change subject: KUDU-1926: disable TLS/SSL session renegotiation
......................................................................
KUDU-1926: disable TLS/SSL session renegotiation
This patch disables TLS ciphers renegotiation for TLSv1.2 and prior.
In case of OpenSSL version 1.1.0h and newer, we are using
SSL_OP_NO_RENEGOTIATION option to all renegotiation. In case of OpenSSL
version prior to 1.1.0a, the undocumented
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is used. See [1], [2] and [3]
for more context.
The moot point is the version interval between 1.1.0a and 1.1.0g: the
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is already gone, but
SSL_OP_NO_RENEGOTIATION is not yet present.
[1] https://www.openssl.org/docs/man1.1.0/man3/SSL_set_options.html
[2]
https://github.com/openssl/openssl/blob/f9398cc2b31858ddaaea3f5cfec2fce7f9b90347/CHANGES#L1038-L1049
[3] https://github.com/openssl/openssl/issues/4739
Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
---
M src/kudu/security/tls_context.cc
1 file changed, 25 insertions(+), 2 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/04/17204/2
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Attila Bukor <[email protected]>
Gerrit-Reviewer: Grant Henke <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
