Hello Tidy Bot, Attila Bukor, Kudu Jenkins, Andrew Wong, Grant Henke,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/17189
to look at the new patch set (#3).
Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (C++ part)
......................................................................
KUDU-2871 support TLSv1.3 in Kudu RPC (C++ part)
With this patch Kudu servers and Kudu C++ client can use TLSv1.3
for securing Kudu RPC communication. All tests run between C++
components now use TLSv1.3 when compiled with OpenSSL 1.1.1 or newer
versions.
This patch introduces two new server-side flags:
--rpc_tls_1_3_ciphers
--rpc_tls_excluded_protocols
The former is to customize the list of preferred ciphers for TLSv1.3.
The latter is to control the set of TLS protocols used by Kudu servers
when securing connections for RPC communication. It can be used along
with the --rpc_tls_min_protocol flag to define the set of TLS protocols
available to Kudu servers when running a TLS handshake. For example,
set --rpc_tls_excluded_protocols=TLSv1.3 to exclude TLSv1.3 from
available options for securing Kudu RPC.
In addition, I added a validator for the --rpc_tls_min_protocol flag,
similar to the validator for --rpc_tls_excluded_protocols.
This patch also adds a new test to exercise TLSv1.3 handshake in
the context of establishing a connection for Kudu RPC.
The embedded webserver isn't updated yet with TLSv1.3 cipher controls:
that will be done in a separate patch because it requires first
to squeasel to introduce a new TLSv1.3-specific flag and call
SSL_CTX_set_ciphersuites() correspondingly.
I ran some of the existing performance tests to compare TLSv1.2
vs TLSv1.3 performance on 48-core machine with
Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz.
Parameters/TestRpc.TestPerformanceBySocketType/SSL_TCP
Sending 1024MB via ssl-enabled tcp socket:
TLSv1.2: real 17.774s user 28.992s sys 2.473s
TLSv1.3: real 2.702s user 1.461s sys 3.112s
RpcBench.BenchmarkCalls
TLSv1.2
Reqs/sec: 64364.7
User CPU per req: 65.4646us
Sys CPU per req: 84.3419us
Ctx Sw. per req: 4.02794
Server reactor latency histogram
Count: 1938009
Mean: 33.1368
TLSv1.3
Reqs/sec: 117503
User CPU per req: 27.9537us
Sys CPU per req: 79.2585us
Ctx Sw. per req: 3.50379
Server reactor latency histogram
Count: 3815425
Mean: 17.695
Change-Id: Ia92a4d102c3c8cff76101e71ff71d24a9d78b672
---
M src/kudu/rpc/client_negotiation.cc
M src/kudu/rpc/messenger.cc
M src/kudu/rpc/messenger.h
M src/kudu/rpc/server_negotiation.cc
M src/kudu/security/security-test-util.cc
M src/kudu/security/security_flags.cc
M src/kudu/security/security_flags.h
M src/kudu/security/tls_context.cc
M src/kudu/security/tls_context.h
M src/kudu/security/tls_handshake-test.cc
M src/kudu/security/tls_handshake.cc
M src/kudu/security/tls_handshake.h
M src/kudu/server/server_base.cc
13 files changed, 468 insertions(+), 90 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/89/17189/3
--
To view, visit http://gerrit.cloudera.org:8080/17189
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ia92a4d102c3c8cff76101e71ff71d24a9d78b672
Gerrit-Change-Number: 17189
Gerrit-PatchSet: 3
Gerrit-Owner: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Andrew Wong <[email protected]>
Gerrit-Reviewer: Attila Bukor <[email protected]>
Gerrit-Reviewer: Grant Henke <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
