[ https://issues.apache.org/jira/browse/IMPALA-8595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robbie Zhang updated IMPALA-8595: --------------------------------- Description: IMPALA-5690 replaced thrift 0.9.0 with 0.9.3 in which THRIFT-3505 changed transport/TSSLSocket.py. In thrift 0.9.3, if the python version is lower than 2.7.9, TSSLSocket uses PROTOCOL_TLSv1 by default: {code:java} # For pythoon >= 2.7.9, use latest TLS that both client and server supports. # SSL 2.0 and 3.0 are disabled via ssl.OP_NO_SSLv2 and ssl.OP_NO_SSLv3. # For pythoon < 2.7.9, use TLS 1.0 since TLSv1_X nare OP_NO_SSLvX are unavailable. _default_protocol = ssl.PROTOCOL_SSLv23 if _has_ssl_context else ssl.PROTOCOL_TLSv1 {code} And the SSL version should be passed as an argument to TSSLSocket.__init__ instead of overriding self.SSL_VERSION in TSSLSocketWithWildcardSAN.__init__. The fix for IMPALA-5775 doesn't work against thrift 0.9.3. So if we use python lower than 2.7.9 (for example, it's python2.7.5 on Red Hat/CentOS 7.5) and set ssl_minimum_version to tlsv1.2, impala-shell command can't connect to impalad: {code:java} # impala-shell -i impalad01.example.com -k --ssl --ca_cert=/etc/cdep-ssl-conf/CA_STANDARD/truststore.pem SSL is enabled No handlers could be found for logger "thrift.transport.TSSLSocket" Error connecting: TTransportException, Could not connect to impalad01.example.com:21000: EOF occurred in violation of protocol (_ssl.c:579) {code} was: IMPALA-5690 replaced thrift 0.9.0 with 0.9.3 in which THRIFT-3505 changed transport/TSSLSocket.py. In thrift 0.9.3, if the python version is lower than 2.9.7, TSSLSocket uses PROTOCOL_TLSv1 by default: {code:java} # For pythoon >= 2.7.9, use latest TLS that both client and server supports. # SSL 2.0 and 3.0 are disabled via ssl.OP_NO_SSLv2 and ssl.OP_NO_SSLv3. # For pythoon < 2.7.9, use TLS 1.0 since TLSv1_X nare OP_NO_SSLvX are unavailable. _default_protocol = ssl.PROTOCOL_SSLv23 if _has_ssl_context else ssl.PROTOCOL_TLSv1 {code} And the SSL version should be passed as an argument to TSSLSocket.__init__ instead of overriding self.SSL_VERSION in TSSLSocketWithWildcardSAN.__init__. The fix for IMPALA-5775 doesn't work against thrift 0.9.3. So if we use python lower than 2.7.9 (for example, it's python2.7.5 on Red Hat/CentOS 7.5) and set ssl_minimum_version to tlsv1.2, impala-shell command can't connect to impalad: {code:java} # impala-shell -i impalad01.example.com -k --ssl --ca_cert=/etc/cdep-ssl-conf/CA_STANDARD/truststore.pem SSL is enabled No handlers could be found for logger "thrift.transport.TSSLSocket" Error connecting: TTransportException, Could not connect to impalad01.example.com:21000: EOF occurred in violation of protocol (_ssl.c:579) {code} > THRIFT-3505 breaks IMPALA-5775 > ------------------------------ > > Key: IMPALA-8595 > URL: https://issues.apache.org/jira/browse/IMPALA-8595 > Project: IMPALA > Issue Type: Bug > Affects Versions: Impala 3.1.0 > Reporter: Robbie Zhang > Assignee: Robbie Zhang > Priority: Major > > IMPALA-5690 replaced thrift 0.9.0 with 0.9.3 in which THRIFT-3505 changed > transport/TSSLSocket.py. > In thrift 0.9.3, if the python version is lower than 2.7.9, TSSLSocket uses > PROTOCOL_TLSv1 by default: > {code:java} > # For pythoon >= 2.7.9, use latest TLS that both client and server supports. > # SSL 2.0 and 3.0 are disabled via ssl.OP_NO_SSLv2 and ssl.OP_NO_SSLv3. > # For pythoon < 2.7.9, use TLS 1.0 since TLSv1_X nare OP_NO_SSLvX are > unavailable. > _default_protocol = ssl.PROTOCOL_SSLv23 if _has_ssl_context else > ssl.PROTOCOL_TLSv1 > {code} > And the SSL version should be passed as an argument to TSSLSocket.__init__ > instead of overriding self.SSL_VERSION in TSSLSocketWithWildcardSAN.__init__. > The fix for IMPALA-5775 doesn't work against thrift 0.9.3. So if we use > python lower than 2.7.9 (for example, it's python2.7.5 on Red Hat/CentOS 7.5) > and set ssl_minimum_version to tlsv1.2, impala-shell command can't connect to > impalad: > > {code:java} > # impala-shell -i impalad01.example.com > -k --ssl --ca_cert=/etc/cdep-ssl-conf/CA_STANDARD/truststore.pem > SSL is enabled > No handlers could be found for logger "thrift.transport.TSSLSocket" > Error connecting: TTransportException, Could not connect to > impalad01.example.com:21000: EOF occurred in violation of protocol > (_ssl.c:579) > {code} > > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org