Alexey Serbin has uploaded this change for review. (
http://gerrit.cloudera.org:8080/17268
Change subject: WIP [security] set minimum TLS protocol to TSLv1.2
......................................................................
WIP [security] set minimum TLS protocol to TSLv1.2
Since support for CentOS 6/RHEL 6, Ubuntu 14, Ubuntu 16, and Debian 8
is dropped since Kudu 1.14 [1], we can bump the minimum required TLS
protocol version up to TLSv1.2 for securing Kudu RPC. That's because
* Supported server-side OSes have OpenSSL of at least version 1.0.1
in their stock distribution, so Kudu servers running on supported
OSes automatically support TLSv1.2
* Kudu Java client requires Java 8+ in runtime since Kudu 1.10 [2],
so Kudu Java clients automatically support TLSv1.2 since then
In addition, this patch updates the list of the preferred TLSv1.2
ciphers, bringing it up-to-date with the "intermediate compatibility"
cipher list of the Mozilla Security Server Side TLS recommendations [3]
(without the DH AES ciphers).
WIP:
* add more information on server/client incompatibilities with
this patch, i.e. what obsoleted server platforms would not be able
to talk to the newer C++ and Java clients
* collect feedback
[1] https://kudu.apache.org/releases/1.14.0/docs/release_notes.html
[2] https://issues.apache.org/jira/browse/KUDU-2099
[3] https://wiki.mozilla.org/Security/Server_Side_TLS
Change-Id: I07633a04d3828100f148e5de3905094198d13396
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
M src/kudu/security/security_flags.cc
2 files changed, 23 insertions(+), 40 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/68/17268/1
--
To view, visit http://gerrit.cloudera.org:8080/17268
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I07633a04d3828100f148e5de3905094198d13396
Gerrit-Change-Number: 17268
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <[email protected]>
