[jira] [Commented] (KUDU-2871) TLS 1.3 not supported by krpc
[ https://issues.apache.org/jira/browse/KUDU-2871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17316393#comment-17316393 ] ASF subversion and git services commented on KUDU-2871: --- Commit 0e1a1545b827d9a3d5d50fd3d54f60bdea83f40c in kudu's branch refs/heads/master from Alexey Serbin [ https://gitbox.apache.org/repos/asf?p=kudu.git;h=0e1a154 ] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part) With this patch, Kudu Java client is able to talk TLSv1.3 to the server side. Essentially, this is about adding TLSv1.3 ciphers into the list of preferred cipher suites in Negotiator.java and sending a chunk of data produced by the final TLSv1.3 handshake iteration to the server when the client senses that the TLS handshake is done. Prior to this patch, Kudu Java client didn't support TLSv1.3 for RPC because: * It didn't have ciphers required for TLSv1.3 * It didn't send back the last chunk of data to the server side in the end of the TLS handshake process The former is crucial to allow Kudu Java clients of prior versions talking with newer, TLSv1.3-capable Kudu servers. In other words, TLSv1.2 is the highest protocol version that Kudu Java clients of prior versions are able to use even if talking to newer Kudu servers which are now capable talking TLSv1.3. This patch also contains a new test scenario to verify the functionality of TLSv1.3-enabled RPC between a Kudu Java client and a Kudu cluster. The newly added scenario runs only if both the JVM and the node's OpenSSL library support TLSv1.3. Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2 Reviewed-on: http://gerrit.cloudera.org:8080/17245 Tested-by: Alexey Serbin Reviewed-by: Grant Henke > TLS 1.3 not supported by krpc > - > > Key: KUDU-2871 > URL: https://issues.apache.org/jira/browse/KUDU-2871 > Project: Kudu > Issue Type: Bug > Components: master, rpc, security, tserver >Affects Versions: 1.8.0, 1.9.0, 1.9.1 >Reporter: Todd Lipcon >Assignee: Alexey Serbin >Priority: Major > > The TLS negotiation in our RPC protocol assumes a whole number of round trips > between client and server. For TLS 1.3, the exchange has 1.5 round trips (the > client is the last sender rather than the server) which breaks negotiation. > Most tests thus fail with OpenSSL 1.1.1. > We should temporarily disable TLS 1.3 and then fix RPC to support this. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KUDU-2871) TLS 1.3 not supported by krpc
[ https://issues.apache.org/jira/browse/KUDU-2871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17316392#comment-17316392 ] ASF subversion and git services commented on KUDU-2871: --- Commit df6590d26de51d67e178c59b50dfcda6ea1244a7 in kudu's branch refs/heads/master from Alexey Serbin [ https://gitbox.apache.org/repos/asf?p=kudu.git;h=df6590d ] KUDU-2871 support TLSv1.3 in Kudu RPC (C++ part) With this patch Kudu servers and Kudu C++ client can use TLSv1.3 for securing Kudu RPC communication. All tests run between C++ components now use TLSv1.3 when compiled with OpenSSL 1.1.1 or newer. This patch introduces two new server-side flags: --rpc_tls_ciphersuites --rpc_tls_excluded_protocols The former is to customize the list of preferred ciphers for TLSv1.3. The latter is to control the set of TLS protocols used by Kudu servers when securing connections for RPC communication. It can be used along with the --rpc_tls_min_protocol flag to define the set of TLS protocols available to Kudu servers when running a TLS handshake. For example, set --rpc_tls_excluded_protocols=TLSv1.3 to exclude TLSv1.3 from available options for securing Kudu RPC. In addition, I added a validator for the --rpc_tls_min_protocol flag, similar to the validator for --rpc_tls_excluded_protocols. This patch also adds a new test to exercise TLSv1.3 handshake in the context of establishing a connection for Kudu RPC. The embedded webserver isn't updated yet with TLSv1.3 cipher controls. That will be done in a separate patch because it requires pushing an update to the squeasel webserver to introduce a new TLSv1.3-specific flag and make a call to SSL_CTX_set_ciphersuites() correspondingly. Change-Id: Ia92a4d102c3c8cff76101e71ff71d24a9d78b672 Reviewed-on: http://gerrit.cloudera.org:8080/17189 Tested-by: Alexey Serbin Reviewed-by: Grant Henke > TLS 1.3 not supported by krpc > - > > Key: KUDU-2871 > URL: https://issues.apache.org/jira/browse/KUDU-2871 > Project: Kudu > Issue Type: Bug > Components: master, rpc, security, tserver >Affects Versions: 1.8.0, 1.9.0, 1.9.1 >Reporter: Todd Lipcon >Assignee: Alexey Serbin >Priority: Major > > The TLS negotiation in our RPC protocol assumes a whole number of round trips > between client and server. For TLS 1.3, the exchange has 1.5 round trips (the > client is the last sender rather than the server) which breaks negotiation. > Most tests thus fail with OpenSSL 1.1.1. > We should temporarily disable TLS 1.3 and then fix RPC to support this. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KUDU-2871) TLS 1.3 not supported by krpc
[ https://issues.apache.org/jira/browse/KUDU-2871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16868839#comment-16868839 ] Alexey Serbin commented on KUDU-2871: - The temporary fix of pegging max TLS version to TLSv1.2 has been submitted into the main trunk and branch-1.10.x of the Kudu git repo: * https://github.com/apache/kudu/commit/efc3f372e8b9254ab6b65d1f884381016329611c * https://github.com/apache/kudu/commit/86a0dc29fcfd3b6fd2eb8089839e0379b8dd62f4 > TLS 1.3 not supported by krpc > - > > Key: KUDU-2871 > URL: https://issues.apache.org/jira/browse/KUDU-2871 > Project: Kudu > Issue Type: Bug > Components: master, rpc, security, tserver >Affects Versions: 1.8.0, 1.9.0, 1.9.1 >Reporter: Todd Lipcon >Priority: Major > > The TLS negotiation in our RPC protocol assumes a whole number of round trips > between client and server. For TLS 1.3, the exchange has 1.5 round trips (the > client is the last sender rather than the server) which breaks negotiation. > Most tests thus fail with OpenSSL 1.1.1. > We should temporarily disable TLS 1.3 and then fix RPC to support this. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KUDU-2871) TLS 1.3 not supported by krpc
[ https://issues.apache.org/jira/browse/KUDU-2871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16868323#comment-16868323 ] Alexey Serbin commented on KUDU-2871: - Some useful info on TLSv1.3 w.r.t. what it entails for ciphers, ABI compatibility, etc: https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/ > TLS 1.3 not supported by krpc > - > > Key: KUDU-2871 > URL: https://issues.apache.org/jira/browse/KUDU-2871 > Project: Kudu > Issue Type: Bug > Components: rpc, security >Reporter: Todd Lipcon >Priority: Major > > The TLS negotiation in our RPC protocol assumes a whole number of round trips > between client and server. For TLS 1.3, the exchange has 1.5 round trips (the > client is the last sender rather than the server) which breaks negotiation. > Most tests thus fail with OpenSSL 1.1.1. > We should temporarily disable TLS 1.3 and then fix RPC to support this. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
