Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 )
Change subject: KUDU-1926: disable TLS/SSL renegotiation ...................................................................... Patch Set 2: (3 comments) http://gerrit.cloudera.org:8080/#/c/17204/2//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/17204/2//COMMIT_MSG@11 PS2, Line 11: to all > nit: to disable all? Done http://gerrit.cloudera.org:8080/#/c/17204/2//COMMIT_MSG@16 PS2, Line 16: The moot point is the version interval between 1.1.0a and 1.1.0g: the : SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is already gone, but : SSL_OP_NO_RENEGOTIATION is not yet present. > Just making sure I understand: this means we still renegotiate if compiling Right: if compiling with OpenSSL in the specified version range, the server is still advertising the renegotiation option. That's true even if the server is effectively run against 1.1.0h or later version. I added an extra blurb about this. As for whether cipher or other renegotiation happens during or after establishing an RPC connection, I guess Kudu components never do that, with or without this patch. This change is more about disabling the options which aren't used by Kudu, but make the system less secure. This patch removes one more option which was turned on by default but wasn't used by Kudu. http://gerrit.cloudera.org:8080/#/c/17204/2/src/kudu/security/tls_context.cc File src/kudu/security/tls_context.cc: http://gerrit.cloudera.org:8080/#/c/17204/2/src/kudu/security/tls_context.cc@186 PS2, Line 186: // > nit: maybe note the Jira here too? Done -- To view, visit http://gerrit.cloudera.org:8080/17204 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1 Gerrit-Change-Number: 17204 Gerrit-PatchSet: 2 Gerrit-Owner: Alexey Serbin <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Grant Henke <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Mon, 22 Mar 2021 23:23:09 +0000 Gerrit-HasComments: Yes
