[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (C++ part)

Fri, 19 Mar 2021 11:28:42 -0700 

Hello Tidy Bot, Kudu Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17189

to look at the new patch set (#2).

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (C++ part)
......................................................................

KUDU-2871 support TLSv1.3 in Kudu RPC (C++ part)

With this patch Kudu servers and Kudu C++ client can use TLSv1.3
for securing Kudu RPC communication.  All tests run between C++
components now use TLSv1.3 when compiled with OpenSSL 1.1.1 or newer
versions.

This patch introduces two new server-side flags:
  --rpc_tls_1_3_ciphers
  --rpc_tls_excluded_protocols

The former is to customize the list of preferred ciphers for TLSv1.3.
The latter is to control the set of TLS protocols used by Kudu servers
when securing connections for RPC communication.  It can be used along
with the --rpc_tls_min_protocol flag to define the set of TLS protocols
available to Kudu servers when running a TLS handshake.  For example,
set --rpc_tls_excluded_protocols=TLSv1.3 to exclude TLSv1.3 from
available options for securing Kudu RPC.

In addition, I added a validator for the --rpc_tls_min_protocol flag,
similar to the validator for --rpc_tls_excluded_protocols.

This patch also adds a new test to exercise TLSv1.3 handshake in
the context of establishing a connection for Kudu RPC.

The embedded webserver isn't updated yet with TLSv1.3 cipher controls:
that will be done in a separate patch because it requires first
to squeasel to introduce a new TLSv1.3-specific flag and call
SSL_CTX_set_ciphersuites() correspondingly.

Change-Id: Ia92a4d102c3c8cff76101e71ff71d24a9d78b672
---
M src/kudu/rpc/client_negotiation.cc
M src/kudu/rpc/messenger.cc
M src/kudu/rpc/messenger.h
M src/kudu/rpc/server_negotiation.cc
M src/kudu/security/security-test-util.cc
M src/kudu/security/security_flags.cc
M src/kudu/security/security_flags.h
M src/kudu/security/tls_context.cc
M src/kudu/security/tls_context.h
M src/kudu/security/tls_handshake-test.cc
M src/kudu/security/tls_handshake.cc
M src/kudu/security/tls_handshake.h
M src/kudu/server/server_base.cc
13 files changed, 463 insertions(+), 86 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/89/17189/2
--
To view, visit http://gerrit.cloudera.org:8080/17189
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ia92a4d102c3c8cff76101e71ff71d24a9d78b672
Gerrit-Change-Number: 17189
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)

Reply via email to