[
https://issues.apache.org/jira/browse/IMPALA-6990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16495416#comment-16495416
]
Sailesh Mukil commented on IMPALA-6990:
---------------------------------------
[~philip] I missed a detail which was that this test never ran on RHEL6 due to
all our RHEL6 machines having OpenSSL 1.0.0 which doesn't support TLSv1.2,
causing them to be skipped.
On RHEL7, this used to work before the Thrift upgrade because the old Thrift
cpp library (0.9.0) was somehow accepting TLSv1 connections even though we
explicitly set TLSv1.2 on the server. I'm unable to figure out why that was
happening, and it looks like a bug, but I'll keep looking. It could be a bug in
the Python 'ssl' library, or the Thrift 0.9.0 python library, or the Thrift
0.9.0 CPP library, or even OpenSSL.
In Thrift 0.9.3, we explicitly select TLSv1.2 if that's what the user specified
which fixes the above mentioned bug. Our test caught this bug, since the client
side doesn't support TLSv1.2 unless we are equipped with Python 2.7.9 or up.
As for a weaker test, we already run test_ssl() which is a weaker test as it
doesn't enforce any ciphers or TLS versions which allows the client and server
to negotiate a protocol that they're both aware of.
> TestClientSsl.test_tls_v12 failing due to Python SSL error
> ----------------------------------------------------------
>
> Key: IMPALA-6990
> URL: https://issues.apache.org/jira/browse/IMPALA-6990
> Project: IMPALA
> Issue Type: Bug
> Affects Versions: Impala 3.0
> Reporter: Sailesh Mukil
> Assignee: Sailesh Mukil
> Priority: Blocker
> Labels: broken-build, flaky
>
> We've seen quite a few jobs fail with the following error:
> *_ssl.c:504: EOF occurred in violation of protocol*
> {code:java}
> custom_cluster/test_client_ssl.py:128: in test_tls_v12
> self._validate_positive_cases("%s/server-cert.pem" % self.CERT_DIR)
> custom_cluster/test_client_ssl.py:181: in _validate_positive_cases
> result = run_impala_shell_cmd(shell_options)
> shell/util.py:97: in run_impala_shell_cmd
> result.stderr)
> E AssertionError: Cmd --ssl -q 'select 1 + 2' was expected to succeed:
> Starting Impala Shell without Kerberos authentication
> E SSL is enabled. Impala server certificates will NOT be verified (set
> --ca_cert to change)
> E
> /data/jenkins/workspace/impala-cdh6.x-exhaustive-rhel7/Impala-Toolchain/thrift-0.9.3-p4/python/lib64/python2.7/site-packages/thrift/transport/TSSLSocket.py:80:
> DeprecationWarning: 3th positional argument is deprecated. Use keyward
> argument insteand.
> E DeprecationWarning)
> E
> /data/jenkins/workspace/impala-cdh6.x-exhaustive-rhel7/Impala-Toolchain/thrift-0.9.3-p4/python/lib64/python2.7/site-packages/thrift/transport/TSSLSocket.py:80:
> DeprecationWarning: 4th positional argument is deprecated. Use keyward
> argument insteand.
> E DeprecationWarning)
> E
> /data/jenkins/workspace/impala-cdh6.x-exhaustive-rhel7/Impala-Toolchain/thrift-0.9.3-p4/python/lib64/python2.7/site-packages/thrift/transport/TSSLSocket.py:80:
> DeprecationWarning: 5th positional argument is deprecated. Use keyward
> argument insteand.
> E DeprecationWarning)
> E
> /data/jenkins/workspace/impala-cdh6.x-exhaustive-rhel7/Impala-Toolchain/thrift-0.9.3-p4/python/lib64/python2.7/site-packages/thrift/transport/TSSLSocket.py:216:
> DeprecationWarning: validate is deprecated. Use cert_reqs=ssl.CERT_NONE
> instead
> E DeprecationWarning)
> E No handlers could be found for logger "thrift.transport.TSSLSocket"
> E Error connecting: TTransportException, Could not connect to
> localhost:21000: [Errno 8] _ssl.c:504: EOF occurred in violation of protocol
> E Not connected to Impala, could not execute queries.
> {code}
> We need to investigate why this is happening and fix it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
