[native-toolchain-CR] IMPALA-5743: Allow TLS version configuration
Henry Robinson has submitted this change and it was merged. Change subject: IMPALA-5743: Allow TLS version configuration .. IMPALA-5743: Allow TLS version configuration * Backport THRIFT-2258 to allow for configuration of supported TLS versions. * Rework patch so that either one specific version may be selected, or all versions including and following a specific version. So TLSv1_1 only allows TLS 1.1 connections, but TLSv1_1_plus allows TLS 1.1 and TLS 1.2 connections. This makes testing easier. * SSLv2 and v3 are explicitly disabled, always, as per previous patch. They are insecure and superseded by TLS. * Disable building Thrift's tutorial to slightly improve build times. Thrift patch is available at: https://github.com/henryr/thrift/commit/2bdc74de0a0874129e68371796362b1130227e42 Change-Id: Ida75e74682606eefcc59a17cb2dd2b4e71862e9c --- M buildall.sh M source/thrift/build.sh A source/thrift/thrift-0.9.0-patches/0010-THRIFT-2258-Add-TLS-configuration.patch 3 files changed, 136 insertions(+), 1 deletion(-) Approvals: Henry Robinson: Looks good to me, approved; Verified -- To view, visit http://gerrit.cloudera.org:8080/7558 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ida75e74682606eefcc59a17cb2dd2b4e71862e9c Gerrit-PatchSet: 3 Gerrit-Project: native-toolchain Gerrit-Branch: master Gerrit-Owner: Henry Robinson Gerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Sailesh Mukil
[native-toolchain-CR] IMPALA-5743: Allow TLS version configuration
Henry Robinson has posted comments on this change. Change subject: IMPALA-5743: Allow TLS version configuration .. Patch Set 3: Code-Review+2 Verified+1 Had to #ifdef code for openssl versions that don't support TLSv1.1 or later. This passed a full toolchain build. -- To view, visit http://gerrit.cloudera.org:8080/7558 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ida75e74682606eefcc59a17cb2dd2b4e71862e9c Gerrit-PatchSet: 3 Gerrit-Project: native-toolchain Gerrit-Branch: master Gerrit-Owner: Henry Robinson Gerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Sailesh Mukil Gerrit-HasComments: No
[native-toolchain-CR] IMPALA-5743: Allow TLS version configuration
Hello Sailesh Mukil, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/7558 to look at the new patch set (#3). Change subject: IMPALA-5743: Allow TLS version configuration .. IMPALA-5743: Allow TLS version configuration * Backport THRIFT-2258 to allow for configuration of supported TLS versions. * Rework patch so that either one specific version may be selected, or all versions including and following a specific version. So TLSv1_1 only allows TLS 1.1 connections, but TLSv1_1_plus allows TLS 1.1 and TLS 1.2 connections. This makes testing easier. * SSLv2 and v3 are explicitly disabled, always, as per previous patch. They are insecure and superseded by TLS. * Disable building Thrift's tutorial to slightly improve build times. Thrift patch is available at: https://github.com/henryr/thrift/commit/2bdc74de0a0874129e68371796362b1130227e42 Change-Id: Ida75e74682606eefcc59a17cb2dd2b4e71862e9c --- M buildall.sh M source/thrift/build.sh A source/thrift/thrift-0.9.0-patches/0010-THRIFT-2258-Add-TLS-configuration.patch 3 files changed, 136 insertions(+), 1 deletion(-) git pull ssh://gerrit.cloudera.org:29418/native-toolchain refs/changes/58/7558/3 -- To view, visit http://gerrit.cloudera.org:8080/7558 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ida75e74682606eefcc59a17cb2dd2b4e71862e9c Gerrit-PatchSet: 3 Gerrit-Project: native-toolchain Gerrit-Branch: master Gerrit-Owner: Henry Robinson Gerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Sailesh Mukil
[native-toolchain-CR] IMPALA-5743: Allow TLS version configuration
Sailesh Mukil has posted comments on this change. Change subject: IMPALA-5743: Allow TLS version configuration .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/7558 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ida75e74682606eefcc59a17cb2dd2b4e71862e9c Gerrit-PatchSet: 1 Gerrit-Project: native-toolchain Gerrit-Branch: master Gerrit-Owner: Henry Robinson Gerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Sailesh Mukil Gerrit-HasComments: No
[native-toolchain-CR] IMPALA-5743: Allow TLS version configuration
Henry Robinson has posted comments on this change. Change subject: IMPALA-5743: Allow TLS version configuration .. Patch Set 1: (1 comment) http://gerrit.cloudera.org:8080/#/c/7558/1/source/thrift/thrift-0.9.0-patches/0010-THRIFT-2258-Add-TLS-configuration.patch File source/thrift/thrift-0.9.0-patches/0010-THRIFT-2258-Add-TLS-configuration.patch: PS1, Line 36: case TLSv1_2_plus: : + options |= SSL_OP_NO_TLSv1_1; : +case TLSv1_1_plus: : + options |= SSL_OP_NO_TLSv1; : +case TLSv1_0_plus: : + ctx_ = SSL_CTX_new(SSLv23_method()); : + break; > I'm a little nervous about this extra change. I've tested them with Impala, and the Impala-side changes for this patch have a thorough test suite for all protocol and client combinations. -- To view, visit http://gerrit.cloudera.org:8080/7558 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ida75e74682606eefcc59a17cb2dd2b4e71862e9c Gerrit-PatchSet: 1 Gerrit-Project: native-toolchain Gerrit-Branch: master Gerrit-Owner: Henry Robinson Gerrit-Reviewer: Henry Robinson Gerrit-Reviewer: Sailesh Mukil Gerrit-HasComments: Yes
[native-toolchain-CR] IMPALA-5743: Allow TLS version configuration
Sailesh Mukil has posted comments on this change. Change subject: IMPALA-5743: Allow TLS version configuration .. Patch Set 1: (1 comment) http://gerrit.cloudera.org:8080/#/c/7558/1/source/thrift/thrift-0.9.0-patches/0010-THRIFT-2258-Add-TLS-configuration.patch File source/thrift/thrift-0.9.0-patches/0010-THRIFT-2258-Add-TLS-configuration.patch: PS1, Line 36: case TLSv1_2_plus: : + options |= SSL_OP_NO_TLSv1_1; : +case TLSv1_1_plus: : + options |= SSL_OP_NO_TLSv1; : +case TLSv1_0_plus: : + ctx_ = SSL_CTX_new(SSLv23_method()); : + break; I'm a little nervous about this extra change. How have you tested these changes? Also, did you test them with: TSSLSocketFactory(TLSv1_1_plus) TSSLSocketFactory(TLSv1_2_plus) ? -- To view, visit http://gerrit.cloudera.org:8080/7558 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ida75e74682606eefcc59a17cb2dd2b4e71862e9c Gerrit-PatchSet: 1 Gerrit-Project: native-toolchain Gerrit-Branch: master Gerrit-Owner: Henry Robinson Gerrit-Reviewer: Sailesh Mukil Gerrit-HasComments: Yes
[native-toolchain-CR] IMPALA-5743: Allow TLS version configuration
Henry Robinson has uploaded a new change for review. http://gerrit.cloudera.org:8080/7558 Change subject: IMPALA-5743: Allow TLS version configuration .. IMPALA-5743: Allow TLS version configuration * Backport THRIFT-2258 to allow for configuration of supported TLS versions. * Rework patch so that either one specific version may be selected, or all versions including and following a specific version. So TLSv1_1 only allows TLS 1.1 connections, but TLSv1_1_plus allows TLS 1.1 and TLS 1.2 connections. This makes testing easier. * SSLv2 and v3 are explicitly disabled, always, as per previous patch. They are insecure and superseded by TLS. * Disable building Thrift's tutorial to slightly improve build times. Thrift patch is available at: https://github.com/henryr/thrift/commit/32293b8314e57f181e9e5c08bc8812a3cfdb7ecf Change-Id: Ida75e74682606eefcc59a17cb2dd2b4e71862e9c --- M buildall.sh M source/thrift/build.sh A source/thrift/thrift-0.9.0-patches/0010-THRIFT-2258-Add-TLS-configuration.patch 3 files changed, 126 insertions(+), 1 deletion(-) git pull ssh://gerrit.cloudera.org:29418/native-toolchain refs/changes/58/7558/1 -- To view, visit http://gerrit.cloudera.org:8080/7558 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ida75e74682606eefcc59a17cb2dd2b4e71862e9c Gerrit-PatchSet: 1 Gerrit-Project: native-toolchain Gerrit-Branch: master Gerrit-Owner: Henry Robinson