Repository: incubator-impala Updated Branches: refs/heads/master d30f5f4e3 -> d40ada01b
IMPALA-5781: Only use TLSv1.0-compatible ciphers for tests If we ask OpenSSL to use a cipher suite that's not compatible with TLSv1.0, it will fail on machines where TLSv1.1+ is not supported (i.e. those with OpenSSL v1.0.0). Fix tests to only use TLSv1.0-compatible cipher suites, picked from https://wiki.openssl.org/index.php/Manual:Ciphers(1)#TLS_v1.0_cipher_suites. Confirmed that tests start servers with TLSv1.0 support. Before this patch, servers would be silently upgraded to TLSv1.2 only (i.e. the minimum version that supported the requested cipher suite). Change-Id: Id66508040bcc7745b7c68b62ace71ae1d394c1b4 Reviewed-on: http://gerrit.cloudera.org:8080/7624 Reviewed-by: Matthew Jacobs <m...@cloudera.com> Tested-by: Impala Public Jenkins Project: http://git-wip-us.apache.org/repos/asf/incubator-impala/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-impala/commit/cfcbfab4 Tree: http://git-wip-us.apache.org/repos/asf/incubator-impala/tree/cfcbfab4 Diff: http://git-wip-us.apache.org/repos/asf/incubator-impala/diff/cfcbfab4 Branch: refs/heads/master Commit: cfcbfab4ff6df0092e68b169c46958467fc0ec14 Parents: d30f5f4 Author: Henry Robinson <he...@cloudera.com> Authored: Tue Aug 8 22:41:07 2017 -0700 Committer: Impala Public Jenkins <impala-public-jenk...@gerrit.cloudera.org> Committed: Wed Aug 9 21:47:51 2017 +0000 ---------------------------------------------------------------------- be/src/rpc/thrift-server-test.cc | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/cfcbfab4/be/src/rpc/thrift-server-test.cc ---------------------------------------------------------------------- diff --git a/be/src/rpc/thrift-server-test.cc b/be/src/rpc/thrift-server-test.cc index f7a2916..a7c5ca5 100644 --- a/be/src/rpc/thrift-server-test.cc +++ b/be/src/rpc/thrift-server-test.cc @@ -51,6 +51,11 @@ const string& BAD_PRIVATE_KEY = const string& PASSWORD_PROTECTED_PRIVATE_KEY = Substitute("$0/be/src/testutil/server-key-password.pem", IMPALA_HOME); +// Only use TLSv1.0 compatible ciphers, as tests might run on machines with only TLSv1.0 +// support. +const string TLS1_0_COMPATIBLE_CIPHER = "RC4-SHA"; +const string TLS1_0_COMPATIBLE_CIPHER_2 = "RC4-MD5"; + /// Dummy server class (chosen because it has the smallest interface to implement) that /// tests can use to start Thrift servers. class DummyStatestoreService : public StatestoreServiceIf { @@ -233,11 +238,11 @@ TEST(SslTest, MismatchedCiphers) { EXPECT_OK(ThriftServerBuilder("DummyStatestore", MakeProcessor(), port) .ssl(SERVER_CERT, PASSWORD_PROTECTED_PRIVATE_KEY) .pem_password_cmd("echo password") - .cipher_list("AES256-SHA256") + .cipher_list(TLS1_0_COMPATIBLE_CIPHER) .Build(&server)); EXPECT_OK(server->Start()); - - auto s = ScopedFlagSetter<string>::Make(&FLAGS_ssl_cipher_list, "RC4-SHA"); + auto s = + ScopedFlagSetter<string>::Make(&FLAGS_ssl_cipher_list, TLS1_0_COMPATIBLE_CIPHER_2); ThriftClient<StatestoreServiceClientWrapper> ssl_client( "localhost", port, "", nullptr, true); @@ -258,12 +263,13 @@ TEST(SslTest, MatchedCiphers) { EXPECT_OK(ThriftServerBuilder("DummyStatestore", MakeProcessor(), port) .ssl(SERVER_CERT, PASSWORD_PROTECTED_PRIVATE_KEY) .pem_password_cmd("echo password") - .cipher_list("AES256-SHA256") + .cipher_list(TLS1_0_COMPATIBLE_CIPHER) .Build(&server)); EXPECT_OK(server->Start()); FLAGS_ssl_client_ca_certificate = SERVER_CERT; - auto s = ScopedFlagSetter<string>::Make(&FLAGS_ssl_cipher_list, "AES256-SHA256"); + auto s = + ScopedFlagSetter<string>::Make(&FLAGS_ssl_cipher_list, TLS1_0_COMPATIBLE_CIPHER); ThriftClient<StatestoreServiceClientWrapper> ssl_client( "localhost", port, "", nullptr, true); @@ -279,17 +285,19 @@ TEST(SslTest, MatchedCiphers) { TEST(SslTest, OverlappingMatchedCiphers) { int port = GetServerPort(); + const string CIPHER_LIST = Substitute("$0,$1", TLS1_0_COMPATIBLE_CIPHER, + TLS1_0_COMPATIBLE_CIPHER_2); ThriftServer* server; EXPECT_OK(ThriftServerBuilder("DummyStatestore", MakeProcessor(), port) .ssl(SERVER_CERT, PASSWORD_PROTECTED_PRIVATE_KEY) .pem_password_cmd("echo password") - .cipher_list("RC4-SHA,AES256-SHA256") + .cipher_list(CIPHER_LIST) .Build(&server)); EXPECT_OK(server->Start()); FLAGS_ssl_client_ca_certificate = SERVER_CERT; auto s = ScopedFlagSetter<string>::Make(&FLAGS_ssl_cipher_list, - "AES256-SHA256,not-a-cipher"); + Substitute("$0,not-a-cipher", TLS1_0_COMPATIBLE_CIPHER)); ThriftClient<StatestoreServiceClientWrapper> ssl_client( "localhost", port, "", nullptr, true);