[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 ) Change subject: KUDU-1926: disable TLS/SSL session renegotiation .. Patch Set 2: Code-Review+1 (3 comments) http://gerrit.cloudera.org:8080/#/c/17204/2//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/17204/2//COMMIT_MSG@11 PS2, Line 11: to all nit: to disable all? http://gerrit.cloudera.org:8080/#/c/17204/2//COMMIT_MSG@16 PS2, Line 16: The moot point is the version interval between 1.1.0a and 1.1.0g: the : SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is already gone, but : SSL_OP_NO_RENEGOTIATION is not yet present. Just making sure I understand: this means we still renegotiate if compiling with an OpenSSL version in this range, right? http://gerrit.cloudera.org:8080/#/c/17204/2/src/kudu/security/tls_context.cc File src/kudu/security/tls_context.cc: http://gerrit.cloudera.org:8080/#/c/17204/2/src/kudu/security/tls_context.cc@186 PS2, Line 186: // nit: maybe note the Jira here too? -- To view, visit http://gerrit.cloudera.org:8080/17204 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1 Gerrit-Change-Number: 17204 Gerrit-PatchSet: 2 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Andrew Wong Gerrit-Reviewer: Attila Bukor Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Mon, 22 Mar 2021 20:43:10 + Gerrit-HasComments: Yes
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Grant Henke has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 ) Change subject: KUDU-1926: disable TLS/SSL session renegotiation .. Patch Set 2: Code-Review+1 -- To view, visit http://gerrit.cloudera.org:8080/17204 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1 Gerrit-Change-Number: 17204 Gerrit-PatchSet: 2 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Attila Bukor Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Sun, 21 Mar 2021 01:19:29 + Gerrit-HasComments: No
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Alexey Serbin has removed a vote on this change. Change subject: KUDU-1926: disable TLS/SSL session renegotiation .. Removed Verified-1 by Kudu Jenkins (120) -- To view, visit http://gerrit.cloudera.org:8080/17204 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: deleteVote Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1 Gerrit-Change-Number: 17204 Gerrit-PatchSet: 2 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Attila Bukor Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120)
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 ) Change subject: KUDU-1926: disable TLS/SSL session renegotiation .. Patch Set 2: Verified+1 > There is funny crash with SIGSEGV if running under TSAN: I'll need > to clarify on that. > > > home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:315 > Failed > Bad status: Runtime error: /tmp/dist-test-task4slHfE/build/tsan/bin/kudu: > process exited on signal 11 (core dumped) > Google Test trace: > /home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:314: > W0319 06:43:49.983834 27011 flags.cc:411] Enabled unsafe flag: > --openssl_security_level_override=0 > W0319 06:43:49.984328 27011 flags.cc:411] Enabled unsafe flag: > --never_fsync=true > W0319 06:43:50.808722 27011 thread.cc:616] rpc reactor (reactor) > Time spent creating pthread: real 0.775s user 0.356s sys 0.418s > W0319 06:43:50.809056 27011 thread.cc:582] rpc reactor (reactor) > Time spent starting thread: real 0.775s user 0.356s sys 0.418s > *** Aborted at 1616136230 (unix time) try "date -d @1616136230" if > you are using GNU date *** > PC: @ 0x7fd2b07fa26a __GI___pthread_rwlock_unlock > *** SIGSEGV (@0x18) received by PID 27011 (TID 0x7fd2a1883700) from > PID 24; stack trace: *** > @ 0x4f8b10 __tsan::CallUserSignalHandler() > @ 0x4fb027 rtl_sigaction() > @ 0x7fd2b07ff980 (unknown) > @ 0x7fd2b07fa26a __GI___pthread_rwlock_unlock > @ 0x4ff2b2 pthread_rwlock_unlock > @ 0x7fd2aed4e8a9 CRYPTO_THREAD_unlock > @ 0x7fd2aece481f CRYPTO_free_ex_data > @ 0x7fd2aed183b2 RSA_free > @ 0x7fd2aecdfc9b (unknown) > @ 0x7fd2aece0899 EVP_PKEY_free > @ 0x7fd2aed6965c (unknown) > @ 0x7fd2aec0fac7 (unknown) > @ 0x7fd2aec0fc30 (unknown) > @ 0x7fd2aec0fa26 (unknown) > @ 0x7fd2aec0fc30 (unknown) > @ 0x7fd2aec0fa26 (unknown) > @ 0x7fd2aec0fb55 ASN1_item_free > @ 0x7fd2aed5d069 X509_OBJECT_free > @ 0x7fd2aed4afc0 OPENSSL_sk_pop_free > @ 0x7fd2aed5d5ac X509_STORE_free > @ 0x7fd2ae919af4 SSL_CTX_free > @ 0x7fd2af657c88 > _ZNSt3__18__invokeIRPFvP10ssl_ctx_stEJS2_EEEDTclclsr3std3__1E7forwardIT_Efp_Espclsr3std3__1E7forwardIT0_Efp0_EEEOS6_DpOS7_ > @ 0x7fd2af657bf4 > _ZNSt3__128__invoke_void_return_wrapperIvE6__callIJRPFvP10ssl_ctx_stES4_EEEvDpOT_ > @ 0x7fd2af657ba4 std::__1::__function::__alloc_func<>::operator()() > @ 0x7fd2af6567dd std::__1::__function::__func<>::operator()() > @ 0x7fd2afd074b7 std::__1::__function::__value_func<>::operator()() > @ 0x7fd2afd073ec std::__1::function<>::operator()() > @ 0x7fd2afd072fe std::__1::unique_ptr<>::reset() > @ 0x7fd2afd06dbc std::__1::unique_ptr<>::~unique_ptr() > @ 0x7fd2afd06d4a kudu::security::TlsContext::~TlsContext() > @ 0x7fd2afd06c9f std::__1::default_delete<>::operator()() > @ 0x7fd2afd06c0e std::__1::unique_ptr<>::reset() > /home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:313: > (int32 key=1) (int32 key=2) (int32 key=3) (int32 key=4) (int32 > key=5) T ebd1313dc9ed4e9393c8c966988f7681 scanned count 5 cost > 0.0375527 seconds Total count 5 cost 0.0400349 seconds I could not reproduce the flake. > There is funny crash with SIGSEGV if running under TSAN: I'll need > to clarify on that. > > > home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:315 > Failed > Bad status: Runtime error: /tmp/dist-test-task4slHfE/build/tsan/bin/kudu: > process exited on signal 11 (core dumped) > Google Test trace: > /home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:314: > W0319 06:43:49.983834 27011 flags.cc:411] Enabled unsafe flag: > --openssl_security_level_override=0 > W0319 06:43:49.984328 27011 flags.cc:411] Enabled unsafe flag: > --never_fsync=true > W0319 06:43:50.808722 27011 thread.cc:616] rpc reactor (reactor) > Time spent creating pthread: real 0.775s user 0.356s sys 0.418s > W0319 06:43:50.809056 27011 thread.cc:582] rpc reactor (reactor) > Time spent starting thread: real 0.775s user 0.356s sys 0.418s > *** Aborted at 1616136230 (unix time) try "date -d @1616136230" if > you are using GNU date *** > PC: @ 0x7fd2b07fa26a __GI___pthread_rwlock_unlock > *** SIGSEGV (@0x18) received by PID 27011 (TID 0x7fd2a1883700) from > PID 24; stack trace: *** > @ 0x4f8b10 __tsan::CallUserSignalHandler() > @ 0x4fb027 rtl_sigaction() > @ 0x7fd2b07ff980 (unknown) > @ 0x7fd2b07fa26a __GI___pthread_rwlock_unlock > @ 0x4ff2b2 pthread_rwlock_unlock > @ 0x7fd2aed4e8a9 CRYPTO_THREAD_unlock > @ 0x7fd2aece481f CRYPTO_free_ex_data > @ 0x7fd2aed183b2 RSA_free > @ 0x7fd2aecdfc9b (unknown) > @ 0x7fd2aece0899 EVP_PKEY_free > @ 0x7fd2aed6965c
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 ) Change subject: KUDU-1926: disable TLS/SSL session renegotiation .. Patch Set 2: There is funny crash with SIGSEGV if running under TSAN: I'll need to clarify on that. home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:315 Failed Bad status: Runtime error: /tmp/dist-test-task4slHfE/build/tsan/bin/kudu: process exited on signal 11 (core dumped) Google Test trace: /home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:314: W0319 06:43:49.983834 27011 flags.cc:411] Enabled unsafe flag: --openssl_security_level_override=0 W0319 06:43:49.984328 27011 flags.cc:411] Enabled unsafe flag: --never_fsync=true W0319 06:43:50.808722 27011 thread.cc:616] rpc reactor (reactor) Time spent creating pthread: real 0.775s user 0.356s sys 0.418s W0319 06:43:50.809056 27011 thread.cc:582] rpc reactor (reactor) Time spent starting thread: real 0.775suser 0.356s sys 0.418s *** Aborted at 1616136230 (unix time) try "date -d @1616136230" if you are using GNU date *** PC: @ 0x7fd2b07fa26a __GI___pthread_rwlock_unlock *** SIGSEGV (@0x18) received by PID 27011 (TID 0x7fd2a1883700) from PID 24; stack trace: *** @ 0x4f8b10 __tsan::CallUserSignalHandler() @ 0x4fb027 rtl_sigaction() @ 0x7fd2b07ff980 (unknown) @ 0x7fd2b07fa26a __GI___pthread_rwlock_unlock @ 0x4ff2b2 pthread_rwlock_unlock @ 0x7fd2aed4e8a9 CRYPTO_THREAD_unlock @ 0x7fd2aece481f CRYPTO_free_ex_data @ 0x7fd2aed183b2 RSA_free @ 0x7fd2aecdfc9b (unknown) @ 0x7fd2aece0899 EVP_PKEY_free @ 0x7fd2aed6965c (unknown) @ 0x7fd2aec0fac7 (unknown) @ 0x7fd2aec0fc30 (unknown) @ 0x7fd2aec0fa26 (unknown) @ 0x7fd2aec0fc30 (unknown) @ 0x7fd2aec0fa26 (unknown) @ 0x7fd2aec0fb55 ASN1_item_free @ 0x7fd2aed5d069 X509_OBJECT_free @ 0x7fd2aed4afc0 OPENSSL_sk_pop_free @ 0x7fd2aed5d5ac X509_STORE_free @ 0x7fd2ae919af4 SSL_CTX_free @ 0x7fd2af657c88 _ZNSt3__18__invokeIRPFvP10ssl_ctx_stEJS2_EEEDTclclsr3std3__1E7forwardIT_Efp_Espclsr3std3__1E7forwardIT0_Efp0_EEEOS6_DpOS7_ @ 0x7fd2af657bf4 _ZNSt3__128__invoke_void_return_wrapperIvE6__callIJRPFvP10ssl_ctx_stES4_EEEvDpOT_ @ 0x7fd2af657ba4 std::__1::__function::__alloc_func<>::operator()() @ 0x7fd2af6567dd std::__1::__function::__func<>::operator()() @ 0x7fd2afd074b7 std::__1::__function::__value_func<>::operator()() @ 0x7fd2afd073ec std::__1::function<>::operator()() @ 0x7fd2afd072fe std::__1::unique_ptr<>::reset() @ 0x7fd2afd06dbc std::__1::unique_ptr<>::~unique_ptr() @ 0x7fd2afd06d4a kudu::security::TlsContext::~TlsContext() @ 0x7fd2afd06c9f std::__1::default_delete<>::operator()() @ 0x7fd2afd06c0e std::__1::unique_ptr<>::reset() /home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:313: (int32 key=1) (int32 key=2) (int32 key=3) (int32 key=4) (int32 key=5) T ebd1313dc9ed4e9393c8c966988f7681 scanned count 5 cost 0.0375527 seconds Total count 5 cost 0.0400349 seconds -- To view, visit http://gerrit.cloudera.org:8080/17204 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1 Gerrit-Change-Number: 17204 Gerrit-PatchSet: 2 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Attila Bukor Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Fri, 19 Mar 2021 07:10:20 + Gerrit-HasComments: No
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Hello Attila Bukor, Kudu Jenkins, Grant Henke, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/17204 to look at the new patch set (#2). Change subject: KUDU-1926: disable TLS/SSL session renegotiation .. KUDU-1926: disable TLS/SSL session renegotiation This patch disables TLS ciphers renegotiation for TLSv1.2 and prior. In case of OpenSSL version 1.1.0h and newer, we are using SSL_OP_NO_RENEGOTIATION option to all renegotiation. In case of OpenSSL version prior to 1.1.0a, the undocumented SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is used. See [1], [2] and [3] for more context. The moot point is the version interval between 1.1.0a and 1.1.0g: the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is already gone, but SSL_OP_NO_RENEGOTIATION is not yet present. [1] https://www.openssl.org/docs/man1.1.0/man3/SSL_set_options.html [2] https://github.com/openssl/openssl/blob/f9398cc2b31858ddaaea3f5cfec2fce7f9b90347/CHANGES#L1038-L1049 [3] https://github.com/openssl/openssl/issues/4739 Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1 --- M src/kudu/security/tls_context.cc 1 file changed, 25 insertions(+), 2 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/04/17204/2 -- To view, visit http://gerrit.cloudera.org:8080/17204 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1 Gerrit-Change-Number: 17204 Gerrit-PatchSet: 2 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Attila Bukor Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120)
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 ) Change subject: KUDU-1926: disable TLS/SSL session renegotiation .. Patch Set 1: > Unrelated TSAN warning while running Params/ScanYourWritesParamTest.Test/1 I posted a separate patch to fix the race reported by TSAN: https://gerrit.cloudera.org/#/c/17205/ -- To view, visit http://gerrit.cloudera.org:8080/17204 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1 Gerrit-Change-Number: 17204 Gerrit-PatchSet: 1 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Attila Bukor Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Fri, 19 Mar 2021 04:04:04 + Gerrit-HasComments: No
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 ) Change subject: KUDU-1926: disable TLS/SSL session renegotiation .. Patch Set 1: Verified+1 Unrelated TSAN warning while running Params/ScanYourWritesParamTest.Test/1 -- To view, visit http://gerrit.cloudera.org:8080/17204 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1 Gerrit-Change-Number: 17204 Gerrit-PatchSet: 1 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Attila Bukor Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Fri, 19 Mar 2021 00:50:02 + Gerrit-HasComments: No
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Alexey Serbin has removed a vote on this change. Change subject: KUDU-1926: disable TLS/SSL session renegotiation .. Removed Verified-1 by Kudu Jenkins (120) -- To view, visit http://gerrit.cloudera.org:8080/17204 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: deleteVote Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1 Gerrit-Change-Number: 17204 Gerrit-PatchSet: 1 Gerrit-Owner: Alexey Serbin Gerrit-Reviewer: Attila Bukor Gerrit-Reviewer: Grant Henke Gerrit-Reviewer: Kudu Jenkins (120)
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Alexey Serbin has uploaded this change for review. ( http://gerrit.cloudera.org:8080/17204 Change subject: KUDU-1926: disable TLS/SSL session renegotiation .. KUDU-1926: disable TLS/SSL session renegotiation This patch disables TLS ciphers renegotiation for TLSv1.2 and prior. In case of OpenSSL version 1.1.0h and newer, we are using SSL_OP_NO_RENEGOTIATION option to all renegotiation. In case of OpenSSL version prior to 1.1.0a, the undocumented SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is used. See [1], [2] and [3] for more context. The moot point is the version interval between 1.1.0a and 1.1.0g: the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is already gone, but SSL_OP_NO_RENEGOTIATION is not yet present. [1] https://www.openssl.org/docs/man1.1.0/man3/SSL_set_options.html [2] https://github.com/openssl/openssl/blob/f9398cc2b31858ddaaea3f5cfec2fce7f9b90347/CHANGES#L1038-L1049 [3] https://github.com/openssl/openssl/issues/4739 Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1 --- M src/kudu/security/tls_context.cc 1 file changed, 26 insertions(+), 0 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/04/17204/1 -- To view, visit http://gerrit.cloudera.org:8080/17204 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1 Gerrit-Change-Number: 17204 Gerrit-PatchSet: 1 Gerrit-Owner: Alexey Serbin