Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17189 )
Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (C++ part) ...................................................................... Patch Set 8: (2 comments) http://gerrit.cloudera.org:8080/#/c/17189/8/src/kudu/security/security_flags.cc File src/kudu/security/security_flags.cc: http://gerrit.cloudera.org:8080/#/c/17189/8/src/kudu/security/security_flags.cc@29 PS8, Line 29: // TODO(aserbin): refresh the list to drop RHEL6/CentOS6 ciphers and > Should that patch land first before this? That's I'm sure about. We might want to keep backward compatibility for the client side for a couple of releases, phasing pre-TLSv1.2 in a couple of releases. Basically, the idea is that it's possible to control the TLS protocol version and ciphers list on the server side, but it's not so for the client side. So, the safest path forward is to re-order and shorten the list, but not exactly removing pre-TLSv1.2 ciphers. http://gerrit.cloudera.org:8080/#/c/17189/8/src/kudu/server/server_base.cc File src/kudu/server/server_base.cc: http://gerrit.cloudera.org:8080/#/c/17189/8/src/kudu/server/server_base.cc@167 PS8, Line 167: DEFINE_string(rpc_tls_1_3_ciphers, > A flag tied to a version of a dependency feels like a future compatibility/ What's exactly the challenge here? Just consider this as the parameter to set TLSv1.3 and later version ciphers. Those are controlled by different call in OpenSSL API. No, I don't think there much sense in re-using `rpc_tlc_ciphers` for TLSv1.3 ciphers: the syntax for the priority list and the API differs. And I don't think anybody wants to build a complicated and error-prone parser to separate TLSv1.3 and pre-TLSv1.3 ciphers from the list. See https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html -- To view, visit http://gerrit.cloudera.org:8080/17189 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ia92a4d102c3c8cff76101e71ff71d24a9d78b672 Gerrit-Change-Number: 17189 Gerrit-PatchSet: 8 Gerrit-Owner: Alexey Serbin <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Grant Henke <[email protected]> Gerrit-Reviewer: Joe McDonnell <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Comment-Date: Mon, 05 Apr 2021 16:27:31 +0000 Gerrit-HasComments: Yes
