Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/17268 )
Change subject: [security] set minimum TLS protocol version to TSLv1.2 ...................................................................... Patch Set 3: (2 comments) http://gerrit.cloudera.org:8080/#/c/17268/3//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/17268/3//COMMIT_MSG@31 PS3, Line 31: * AES128-SHA (TLS_RSA_WITH_AES_128_CBC_SHA) : * AES256-SHA (TLS_RSA_WITH_AES_256_CBC_SHA) This might be a silly question, but I'm not sure how the minimum TLS versioning works. If we left the client minimum TLS version to v1, but changed the cipher defaults to be what they are with this patch, + AES128-SHA:AES256-SHA, would the new client be able to communicate with both a new and an old server? Or would having a minimum TLS version of v1 mean the client can only use v1 to communicate? http://gerrit.cloudera.org:8080/#/c/17268/3//COMMIT_MSG@65 PS3, Line 65: --rpc_tls_min_protocol and : --rpc_tls_ciphers flags on all masters and tablet servers : in the cluster, setting --rpc_tls_min_protocol=TLSv1 Is there a reason to _not_ expose these to, e.g., tooling, if we find that we do want to communicate with such an old cluster? I'm fine dropping the support given how crufty the old versions are -- just curious if exposing these flags client/tooling-side would alleviate the former workaround. -- To view, visit http://gerrit.cloudera.org:8080/17268 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I07633a04d3828100f148e5de3905094198d13396 Gerrit-Change-Number: 17268 Gerrit-PatchSet: 3 Gerrit-Owner: Alexey Serbin <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Grant Henke <[email protected]> Gerrit-Reviewer: Greg Solovyev <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Thu, 22 Apr 2021 23:59:50 +0000 Gerrit-HasComments: Yes
