[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version
Impala Public Jenkins has submitted this change and it was merged. Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version .. IMPALA-5800: Configure Squeasel's cipher suite and TLS version * Import Squeasel as of https://github.com/cloudera/squeasel/commit/1e5f611, which adds TLS version and cipher suite configuration. * Plumb through --ssl_minimum_version and --ssl_cipher_list to the Squeasel options in webserver.cc. Testing: manually confirm that webserver connections have desired protocol version and cipher suite. Add two tests to webserver-test to check that misconfiguration leads to a failure. Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Reviewed-on: http://gerrit.cloudera.org:8080/7679 Reviewed-by: Sailesh MukilReviewed-by: Henry Robinson Tested-by: Impala Public Jenkins --- M be/src/thirdparty/squeasel/squeasel.c M be/src/util/webserver-test.cc M be/src/util/webserver.cc 3 files changed, 80 insertions(+), 3 deletions(-) Approvals: Impala Public Jenkins: Verified Henry Robinson: Looks good to me, approved Sailesh Mukil: Looks good to me, but someone else must approve -- To view, visit http://gerrit.cloudera.org:8080/7679 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: merged Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Gerrit-PatchSet: 4 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry Robinson Gerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Sailesh Mukil
[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version
Impala Public Jenkins has posted comments on this change. Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version .. Patch Set 3: Verified+1 -- To view, visit http://gerrit.cloudera.org:8080/7679 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Gerrit-PatchSet: 3 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry RobinsonGerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Sailesh Mukil Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version
Henry Robinson has posted comments on this change. Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version .. Patch Set 3: Code-Review+2 I feel pretty ok giving this a +2 myself, as the Impala-side changes are tiny. -- To view, visit http://gerrit.cloudera.org:8080/7679 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Gerrit-PatchSet: 3 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry RobinsonGerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Sailesh Mukil Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version
Impala Public Jenkins has posted comments on this change. Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version .. Patch Set 3: Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/1076/ -- To view, visit http://gerrit.cloudera.org:8080/7679 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Gerrit-PatchSet: 3 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry RobinsonGerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Sailesh Mukil Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version
Sailesh Mukil has posted comments on this change. Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version .. Patch Set 3: Code-Review+1 (2 comments) http://gerrit.cloudera.org:8080/#/c/7679/1//COMMIT_MSG Commit Message: PS1, Line 10: https://github.com/cloudera/squeasel/commit/1e5f611 > Not to be pedantic, but this conveys what I'm trying to say: I took squease The reworded sentence makes this clearer, thanks. http://gerrit.cloudera.org:8080/#/c/7679/2/be/src/thirdparty/squeasel/squeasel.c File be/src/thirdparty/squeasel/squeasel.c: PS2, Line 4275: ctx->config[SSL_CIPHERS] > See webserver.cc line 269 in this patch - we don't set the option if the ci Thanks for clarifying. -- To view, visit http://gerrit.cloudera.org:8080/7679 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Gerrit-PatchSet: 3 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry RobinsonGerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Sailesh Mukil Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version
Henry Robinson has uploaded a new patch set (#3). Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version .. IMPALA-5800: Configure Squeasel's cipher suite and TLS version * Import Squeasel as of https://github.com/cloudera/squeasel/commit/1e5f611, which adds TLS version and cipher suite configuration. * Plumb through --ssl_minimum_version and --ssl_cipher_list to the Squeasel options in webserver.cc. Testing: manually confirm that webserver connections have desired protocol version and cipher suite. Add two tests to webserver-test to check that misconfiguration leads to a failure. Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 --- M be/src/thirdparty/squeasel/squeasel.c M be/src/util/webserver-test.cc M be/src/util/webserver.cc 3 files changed, 80 insertions(+), 3 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/79/7679/3 -- To view, visit http://gerrit.cloudera.org:8080/7679 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newpatchset Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Gerrit-PatchSet: 3 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry RobinsonGerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Sailesh Mukil
[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version
Henry Robinson has posted comments on this change. Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version .. Patch Set 1: (2 comments) http://gerrit.cloudera.org:8080/#/c/7679/1//COMMIT_MSG Commit Message: PS1, Line 10: https://github.com/cloudera/squeasel/commit/1e5f611 > I would add a reference to this as well, to avoid confusion: Not to be pedantic, but this conveys what I'm trying to say: I took squeasel as of this particular commit, i.e. the snapshot of the file at this commit as the sum of all the commits before it. I've tried a slight rewording. http://gerrit.cloudera.org:8080/#/c/7679/2/be/src/util/webserver-test.cc File be/src/util/webserver-test.cc: PS2, Line 251: SslBadCipherSuite > Thanks for adding the test. This shouldn't be called "SslBadCipherSuite" no Done -- To view, visit http://gerrit.cloudera.org:8080/7679 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Gerrit-PatchSet: 1 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry RobinsonGerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Sailesh Mukil Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version
Henry Robinson has posted comments on this change. Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version .. Patch Set 2: (1 comment) http://gerrit.cloudera.org:8080/#/c/7679/2/be/src/thirdparty/squeasel/squeasel.c File be/src/thirdparty/squeasel/squeasel.c: PS2, Line 4275: ctx->config[SSL_CIPHERS] > In our case, this will never be NULL right? Since our ssl_cipher_list flag See webserver.cc line 269 in this patch - we don't set the option if the cipher flag is empty. -- To view, visit http://gerrit.cloudera.org:8080/7679 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Gerrit-PatchSet: 2 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry RobinsonGerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Sailesh Mukil Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version
Sailesh Mukil has posted comments on this change. Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version .. Patch Set 2: (4 comments) http://gerrit.cloudera.org:8080/#/c/7679/1//COMMIT_MSG Commit Message: PS1, Line 10: https://github.com/cloudera/squeasel/commit/1e5f611 > It's the right commit - a bugfix for the previous one. I would add a reference to this as well, to avoid confusion: https://github.com/cloudera/squeasel/commit/70d3b5aa0e55aea2af1f552f1fb7e334b327c731 http://gerrit.cloudera.org:8080/#/c/7679/1/be/src/thirdparty/squeasel/squeasel.c File be/src/thirdparty/squeasel/squeasel.c: Line 4232: #endif > I don't think that's what happens - won't the 'else' branch below get taken Oops, brainfart, you're right. http://gerrit.cloudera.org:8080/#/c/7679/2/be/src/thirdparty/squeasel/squeasel.c File be/src/thirdparty/squeasel/squeasel.c: PS2, Line 4275: ctx->config[SSL_CIPHERS] In our case, this will never be NULL right? Since our ssl_cipher_list flag defaults to an empty string: https://github.com/apache/incubator-impala/blob/b70acf92bfe7acf69775818cc16369b7527dd5e2/be/src/service/impala-server.cc#L176-L180 Do we know how OpenSSL handles an empty string? I tried looking up the docs but couldn't find any references. http://gerrit.cloudera.org:8080/#/c/7679/2/be/src/util/webserver-test.cc File be/src/util/webserver-test.cc: PS2, Line 251: SslBadCipherSuite Thanks for adding the test. This shouldn't be called "SslBadCipherSuite" now though. Your call on whether you want to split the good test out or just have a more accommodating test name. -- To view, visit http://gerrit.cloudera.org:8080/7679 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Gerrit-PatchSet: 2 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry RobinsonGerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Sailesh Mukil Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version
Henry Robinson has posted comments on this change. Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version .. Patch Set 1: (1 comment) http://gerrit.cloudera.org:8080/#/c/7679/1/be/src/util/webserver-test.cc File be/src/util/webserver-test.cc: PS1, Line 251: SslBadCipherSuite > Let's add a good cipher suite test too. Done -- To view, visit http://gerrit.cloudera.org:8080/7679 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Gerrit-PatchSet: 1 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry RobinsonGerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Sailesh Mukil Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version
Henry Robinson has uploaded a new patch set (#2). Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version .. IMPALA-5800: Configure Squeasel's cipher suite and TLS version * Import Squeasel from https://github.com/cloudera/squeasel/commit/1e5f611 which adds TLS version and cipher suite configuration. * Plumb through --ssl_minimum_version and --ssl_cipher_list to the Squeasel options in webserver.cc. Testing: manually confirm that webserver connections have desired protocol version and cipher suite. Add two tests to webserver-test to check that misconfiguration leads to a failure. Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 --- M be/src/thirdparty/squeasel/squeasel.c M be/src/util/webserver-test.cc M be/src/util/webserver.cc 3 files changed, 80 insertions(+), 3 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/79/7679/2 -- To view, visit http://gerrit.cloudera.org:8080/7679 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newpatchset Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Gerrit-PatchSet: 2 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry RobinsonGerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Sailesh Mukil
[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version
Henry Robinson has posted comments on this change. Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version .. Patch Set 1: (2 comments) http://gerrit.cloudera.org:8080/#/c/7679/1//COMMIT_MSG Commit Message: PS1, Line 10: https://github.com/cloudera/squeasel/commit/1e5f611 > This looks like it's pointing to the wrong commit. It's the right commit - a bugfix for the previous one. http://gerrit.cloudera.org:8080/#/c/7679/1/be/src/thirdparty/squeasel/squeasel.c File be/src/thirdparty/squeasel/squeasel.c: Line 4232: #endif > Should we explicitly throw an error or show a warning if they opt for tlsv1 I don't think that's what happens - won't the 'else' branch below get taken? -- To view, visit http://gerrit.cloudera.org:8080/7679 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Gerrit-PatchSet: 1 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry RobinsonGerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Sailesh Mukil Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version
Sailesh Mukil has posted comments on this change. Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version .. Patch Set 1: (3 comments) http://gerrit.cloudera.org:8080/#/c/7679/1//COMMIT_MSG Commit Message: PS1, Line 10: https://github.com/cloudera/squeasel/commit/1e5f611 This looks like it's pointing to the wrong commit. http://gerrit.cloudera.org:8080/#/c/7679/1/be/src/thirdparty/squeasel/squeasel.c File be/src/thirdparty/squeasel/squeasel.c: Line 4232: #endif Should we explicitly throw an error or show a warning if they opt for tlsv1_1 or tlsv1_2, instead of silently setting tlsv1, with OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_HAS_TLS_1_1 ? http://gerrit.cloudera.org:8080/#/c/7679/1/be/src/util/webserver-test.cc File be/src/util/webserver-test.cc: PS1, Line 251: SslBadCipherSuite Let's add a good cipher suite test too. -- To view, visit http://gerrit.cloudera.org:8080/7679 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Gerrit-PatchSet: 1 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry RobinsonGerrit-Reviewer: Sailesh Mukil Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-5800: Configure Squeasel's cipher suite and TLS version
Henry Robinson has uploaded a new change for review. http://gerrit.cloudera.org:8080/7679 Change subject: IMPALA-5800: Configure Squeasel's cipher suite and TLS version .. IMPALA-5800: Configure Squeasel's cipher suite and TLS version * Import Squeasel from https://github.com/cloudera/squeasel/commit/1e5f611 which adds TLS version and cipher suite configuration. * Plumb through --ssl_minimum_version and --ssl_cipher_list to the Squeasel options in webserver.cc. Testing: manually confirm that webserver connections have desired protocol version and cipher suite. Add two tests to webserver-test to check that misconfiguration leads to a failure. Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 --- M be/src/thirdparty/squeasel/squeasel.c M be/src/util/webserver-test.cc M be/src/util/webserver.cc 3 files changed, 72 insertions(+), 3 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/79/7679/1 -- To view, visit http://gerrit.cloudera.org:8080/7679 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I23fb17257098992c65e50c1e83a905c9a85db6a2 Gerrit-PatchSet: 1 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Henry Robinson