[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version

2017-08-16 Thread Impala Public Jenkins (Code Review) 
Impala Public Jenkins has submitted this change and it was merged.

Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version
..


IMPALA-5800: Configure Squeasel's cipher suite and TLS version

* Import Squeasel as of
  https://github.com/cloudera/squeasel/commit/1e5f611, which adds TLS
  version and cipher suite configuration.

* Plumb through --ssl_minimum_version and --ssl_cipher_list to the
  Squeasel options in webserver.cc.

Testing: manually confirm that webserver connections have desired
protocol version and cipher suite. Add two tests to webserver-test to
check that misconfiguration leads to a failure.

Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Reviewed-on: http://gerrit.cloudera.org:8080/7679
Reviewed-by: Sailesh Mukil 
Reviewed-by: Henry Robinson 
Tested-by: Impala Public Jenkins
---
M be/src/thirdparty/squeasel/squeasel.c
M be/src/util/webserver-test.cc
M be/src/util/webserver.cc
3 files changed, 80 insertions(+), 3 deletions(-)

Approvals:
  Impala Public Jenkins: Verified
  Henry Robinson: Looks good to me, approved
  Sailesh Mukil: Looks good to me, but someone else must approve



-- 
To view, visit http://gerrit.cloudera.org:8080/7679
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Gerrit-PatchSet: 4
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson 
Gerrit-Reviewer: Henry Robinson 
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Sailesh Mukil

[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version

2017-08-16 Thread Impala Public Jenkins (Code Review) 
Impala Public Jenkins has posted comments on this change.

Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version
..


Patch Set 3: Verified+1

-- 
To view, visit http://gerrit.cloudera.org:8080/7679
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson 
Gerrit-Reviewer: Henry Robinson 
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version

2017-08-16 Thread Henry Robinson (Code Review) 
Henry Robinson has posted comments on this change.

Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version
..


Patch Set 3: Code-Review+2

I feel pretty ok giving this a +2 myself, as the Impala-side changes are tiny.

-- 
To view, visit http://gerrit.cloudera.org:8080/7679
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson 
Gerrit-Reviewer: Henry Robinson 
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version

2017-08-16 Thread Impala Public Jenkins (Code Review) 
Impala Public Jenkins has posted comments on this change.

Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version
..


Patch Set 3:

Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/1076/

-- 
To view, visit http://gerrit.cloudera.org:8080/7679
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson 
Gerrit-Reviewer: Henry Robinson 
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version

2017-08-16 Thread Sailesh Mukil (Code Review) 
Sailesh Mukil has posted comments on this change.

Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version
..


Patch Set 3: Code-Review+1

(2 comments)

http://gerrit.cloudera.org:8080/#/c/7679/1//COMMIT_MSG
Commit Message:

PS1, Line 10: https://github.com/cloudera/squeasel/commit/1e5f611
> Not to be pedantic, but this conveys what I'm trying to say: I took squease
The reworded sentence makes this clearer, thanks.


http://gerrit.cloudera.org:8080/#/c/7679/2/be/src/thirdparty/squeasel/squeasel.c
File be/src/thirdparty/squeasel/squeasel.c:

PS2, Line 4275: ctx->config[SSL_CIPHERS]
> See webserver.cc line 269 in this patch - we don't set the option if the ci
Thanks for clarifying.


-- 
To view, visit http://gerrit.cloudera.org:8080/7679
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson 
Gerrit-Reviewer: Henry Robinson 
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version

2017-08-16 Thread Henry Robinson (Code Review) 
Henry Robinson has uploaded a new patch set (#3).

Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version
..

IMPALA-5800: Configure Squeasel's cipher suite and TLS version

* Import Squeasel as of
  https://github.com/cloudera/squeasel/commit/1e5f611, which adds TLS
  version and cipher suite configuration.

* Plumb through --ssl_minimum_version and --ssl_cipher_list to the
  Squeasel options in webserver.cc.

Testing: manually confirm that webserver connections have desired
protocol version and cipher suite. Add two tests to webserver-test to
check that misconfiguration leads to a failure.

Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
---
M be/src/thirdparty/squeasel/squeasel.c
M be/src/util/webserver-test.cc
M be/src/util/webserver.cc
3 files changed, 80 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/79/7679/3
-- 
To view, visit http://gerrit.cloudera.org:8080/7679
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson 
Gerrit-Reviewer: Henry Robinson 
Gerrit-Reviewer: Sailesh Mukil

[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version

2017-08-16 Thread Henry Robinson (Code Review) 
Henry Robinson has posted comments on this change.

Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version
..


Patch Set 1:

(2 comments)

http://gerrit.cloudera.org:8080/#/c/7679/1//COMMIT_MSG
Commit Message:

PS1, Line 10: https://github.com/cloudera/squeasel/commit/1e5f611
> I would add a reference to this as well, to avoid confusion:
Not to be pedantic, but this conveys what I'm trying to say: I took squeasel as 
of this particular commit, i.e. the snapshot of the file at this commit as the 
sum of all the commits before it. I've tried a slight rewording.


http://gerrit.cloudera.org:8080/#/c/7679/2/be/src/util/webserver-test.cc
File be/src/util/webserver-test.cc:

PS2, Line 251: SslBadCipherSuite
> Thanks for adding the test. This shouldn't be called "SslBadCipherSuite" no
Done


-- 
To view, visit http://gerrit.cloudera.org:8080/7679
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson 
Gerrit-Reviewer: Henry Robinson 
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version

2017-08-16 Thread Henry Robinson (Code Review) 
Henry Robinson has posted comments on this change.

Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version
..


Patch Set 2:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/7679/2/be/src/thirdparty/squeasel/squeasel.c
File be/src/thirdparty/squeasel/squeasel.c:

PS2, Line 4275: ctx->config[SSL_CIPHERS]
> In our case, this will never be NULL right? Since our ssl_cipher_list flag 
See webserver.cc line 269 in this patch - we don't set the option if the cipher 
flag is empty.


-- 
To view, visit http://gerrit.cloudera.org:8080/7679
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Gerrit-PatchSet: 2
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson 
Gerrit-Reviewer: Henry Robinson 
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version

2017-08-16 Thread Sailesh Mukil (Code Review) 
Sailesh Mukil has posted comments on this change.

Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version
..


Patch Set 2:

(4 comments)

http://gerrit.cloudera.org:8080/#/c/7679/1//COMMIT_MSG
Commit Message:

PS1, Line 10: https://github.com/cloudera/squeasel/commit/1e5f611
> It's the right commit - a bugfix for the previous one.
I would add a reference to this as well, to avoid confusion:
https://github.com/cloudera/squeasel/commit/70d3b5aa0e55aea2af1f552f1fb7e334b327c731


http://gerrit.cloudera.org:8080/#/c/7679/1/be/src/thirdparty/squeasel/squeasel.c
File be/src/thirdparty/squeasel/squeasel.c:

Line 4232: #endif
> I don't think that's what happens - won't the 'else' branch below get taken
Oops, brainfart, you're right.


http://gerrit.cloudera.org:8080/#/c/7679/2/be/src/thirdparty/squeasel/squeasel.c
File be/src/thirdparty/squeasel/squeasel.c:

PS2, Line 4275: ctx->config[SSL_CIPHERS]
In our case, this will never be NULL right? Since our ssl_cipher_list flag 
defaults to an empty string:
https://github.com/apache/incubator-impala/blob/b70acf92bfe7acf69775818cc16369b7527dd5e2/be/src/service/impala-server.cc#L176-L180

Do we know how OpenSSL handles an empty string? I tried looking up the docs but 
couldn't find any references.


http://gerrit.cloudera.org:8080/#/c/7679/2/be/src/util/webserver-test.cc
File be/src/util/webserver-test.cc:

PS2, Line 251: SslBadCipherSuite
Thanks for adding the test. This shouldn't be called "SslBadCipherSuite" now 
though. Your call on whether you want to split the good test out or just have a 
more accommodating test name.


-- 
To view, visit http://gerrit.cloudera.org:8080/7679
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Gerrit-PatchSet: 2
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson 
Gerrit-Reviewer: Henry Robinson 
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version

2017-08-15 Thread Henry Robinson (Code Review) 
Henry Robinson has posted comments on this change.

Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version
..


Patch Set 1:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/7679/1/be/src/util/webserver-test.cc
File be/src/util/webserver-test.cc:

PS1, Line 251: SslBadCipherSuite
> Let's add a good cipher suite test too.
Done


-- 
To view, visit http://gerrit.cloudera.org:8080/7679
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson 
Gerrit-Reviewer: Henry Robinson 
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version

2017-08-15 Thread Henry Robinson (Code Review) 
Henry Robinson has uploaded a new patch set (#2).

Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version
..

IMPALA-5800: Configure Squeasel's cipher suite and TLS version

* Import Squeasel from
  https://github.com/cloudera/squeasel/commit/1e5f611 which adds TLS
  version and cipher suite configuration.

* Plumb through --ssl_minimum_version and --ssl_cipher_list to the
  Squeasel options in webserver.cc.

Testing: manually confirm that webserver connections have desired
protocol version and cipher suite. Add two tests to webserver-test to
check that misconfiguration leads to a failure.

Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
---
M be/src/thirdparty/squeasel/squeasel.c
M be/src/util/webserver-test.cc
M be/src/util/webserver.cc
3 files changed, 80 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/79/7679/2
-- 
To view, visit http://gerrit.cloudera.org:8080/7679
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Gerrit-PatchSet: 2
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson 
Gerrit-Reviewer: Henry Robinson 
Gerrit-Reviewer: Sailesh Mukil

[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version

2017-08-15 Thread Henry Robinson (Code Review) 
Henry Robinson has posted comments on this change.

Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version
..


Patch Set 1:

(2 comments)

http://gerrit.cloudera.org:8080/#/c/7679/1//COMMIT_MSG
Commit Message:

PS1, Line 10: https://github.com/cloudera/squeasel/commit/1e5f611
> This looks like it's pointing to the wrong commit.
It's the right commit - a bugfix for the previous one.


http://gerrit.cloudera.org:8080/#/c/7679/1/be/src/thirdparty/squeasel/squeasel.c
File be/src/thirdparty/squeasel/squeasel.c:

Line 4232: #endif
> Should we explicitly throw an error or show a warning if they opt for tlsv1
I don't think that's what happens - won't the 'else' branch below get taken?


-- 
To view, visit http://gerrit.cloudera.org:8080/7679
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson 
Gerrit-Reviewer: Henry Robinson 
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version

2017-08-15 Thread Sailesh Mukil (Code Review) 
Sailesh Mukil has posted comments on this change.

Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version
..


Patch Set 1:

(3 comments)

http://gerrit.cloudera.org:8080/#/c/7679/1//COMMIT_MSG
Commit Message:

PS1, Line 10: https://github.com/cloudera/squeasel/commit/1e5f611
This looks like it's pointing to the wrong commit.


http://gerrit.cloudera.org:8080/#/c/7679/1/be/src/thirdparty/squeasel/squeasel.c
File be/src/thirdparty/squeasel/squeasel.c:

Line 4232: #endif
Should we explicitly throw an error or show a warning if they opt for tlsv1_1 
or tlsv1_2, instead of silently setting tlsv1, with OPENSSL_VERSION_NUMBER < 
OPENSSL_VERSION_HAS_TLS_1_1 ?


http://gerrit.cloudera.org:8080/#/c/7679/1/be/src/util/webserver-test.cc
File be/src/util/webserver-test.cc:

PS1, Line 251: SslBadCipherSuite
Let's add a good cipher suite test too.


-- 
To view, visit http://gerrit.cloudera.org:8080/7679
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson 
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version

2017-08-15 Thread Henry Robinson (Code Review) 
Henry Robinson has uploaded a new change for review.

  http://gerrit.cloudera.org:8080/7679

Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version
..

IMPALA-5800: Configure Squeasel's cipher suite and TLS version

* Import Squeasel from
  https://github.com/cloudera/squeasel/commit/1e5f611 which adds TLS
  version and cipher suite configuration.

* Plumb through --ssl_minimum_version and --ssl_cipher_list to the
  Squeasel options in webserver.cc.

Testing: manually confirm that webserver connections have desired
protocol version and cipher suite. Add two tests to webserver-test to
check that misconfiguration leads to a failure.

Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
---
M be/src/thirdparty/squeasel/squeasel.c
M be/src/util/webserver-test.cc
M be/src/util/webserver.cc
3 files changed, 72 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/79/7679/1
-- 
To view, visit http://gerrit.cloudera.org:8080/7679
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson