[
https://issues.apache.org/jira/browse/HADOOP-10734?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Uma Maheswara Rao G updated HADOOP-10734:
-----------------------------------------
Comment: was deleted
(was: [~cmccabe], thank you for the review. I update the patch based on your
new comments and the discussion which we talked offline.
{quote}
I guess my question here is, if I compile against openssl 1.0.0 and run against
1.0.1, does AES-CTR work? My understanding is that it does. So we should not
fail the build just because the compiler has version 1.0.0.
{quote}
In the new patch, I remove openssl version (1.0.0 or 1.0.1) check in
CMakeLists.txt, now it can be compiled against openssl 1.0.0 and run against
1.0.1.
{quote}
As we talked about, we should fail the tests when buildSupportsOpenssl is true
but openssl is not working (that way, we will know we have a configuration
problem on Jenkins or any other build system.)
{quote}
Yes, this has been included.
{quote}
Specifically, we should call const char *SSLeay_version(int t); here and throw
an exception if the number is too low. We should not use the #define, since
that is the version we compiled with, which may not be the same as the version
we're running with. (In fact, it rarely will be the same, due to the security
and export control difficulties associated with bundling openssl.)
{quote}
Basically dlsym for aes-ctr related symbols will fail if the Openssl version is
not new enough, so we don’t need to check the version specifically. And I
refine the error message to:
{{Cannot find AES-CTR support, is your version of Openssl new enough?}}
)
> Implementation of true secure random with high performance using hardware
> random number generator.
> --------------------------------------------------------------------------------------------------
>
> Key: HADOOP-10734
> URL: https://issues.apache.org/jira/browse/HADOOP-10734
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134)
> Reporter: Yi Liu
> Assignee: Yi Liu
> Fix For: fs-encryption (HADOOP-10150 and HDFS-6134)
>
> Attachments: HADOOP-10734.patch
>
>
> This JIRA is to implement Secure random using JNI to OpenSSL, and
> implementation should be thread-safe.
> Utilize RdRand to return random numbers from hardware random number
> generator. It's TRNG(True Random Number generators) having much higher
> performance than {{java.security.SecureRandom}}.
> https://wiki.openssl.org/index.php/Random_Numbers
> http://en.wikipedia.org/wiki/RdRand
> https://software.intel.com/en-us/articles/performance-impact-of-intel-secure-key-on-openssl
--
This message was sent by Atlassian JIRA
(v6.2#6252)
