[
https://issues.apache.org/jira/browse/IMPALA-8595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robbie Zhang updated IMPALA-8595:
---------------------------------
Description:
IMPALA-5690 replaced thrift 0.9.0 with 0.9.3 in which THRIFT-3505 changed
transport/TSSLSocket.py.
In thrift 0.9.3, if the python version is lower than 2.7.9, TSSLSocket uses
PROTOCOL_TLSv1 by default:
{code:java}
# For pythoon >= 2.7.9, use latest TLS that both client and server supports.
# SSL 2.0 and 3.0 are disabled via ssl.OP_NO_SSLv2 and ssl.OP_NO_SSLv3.
# For pythoon < 2.7.9, use TLS 1.0 since TLSv1_X nare OP_NO_SSLvX are
unavailable.
_default_protocol = ssl.PROTOCOL_SSLv23 if _has_ssl_context else
ssl.PROTOCOL_TLSv1
{code}
And the SSL version should be passed as an argument to TSSLSocket.__init__
instead of overriding self.SSL_VERSION in TSSLSocketWithWildcardSAN.__init__.
The fix for IMPALA-5775 doesn't work against thrift 0.9.3. So if we use python
lower than 2.7.9 (for example, it's python2.7.5 on Red Hat/CentOS 7.5) and set
ssl_minimum_version to tlsv1.2, impala-shell command can't connect to impalad:
{code:java}
# impala-shell -i impalad01.example.com
-k --ssl --ca_cert=/etc/cdep-ssl-conf/CA_STANDARD/truststore.pem
SSL is enabled
No handlers could be found for logger "thrift.transport.TSSLSocket"
Error connecting: TTransportException, Could not connect to
impalad01.example.com:21000: EOF occurred in violation of protocol (_ssl.c:579)
{code}
was:
IMPALA-5690 replaced thrift 0.9.0 with 0.9.3 in which THRIFT-3505 changed
transport/TSSLSocket.py.
In thrift 0.9.3, if the python version is lower than 2.9.7, TSSLSocket uses
PROTOCOL_TLSv1 by default:
{code:java}
# For pythoon >= 2.7.9, use latest TLS that both client and server supports.
# SSL 2.0 and 3.0 are disabled via ssl.OP_NO_SSLv2 and ssl.OP_NO_SSLv3.
# For pythoon < 2.7.9, use TLS 1.0 since TLSv1_X nare OP_NO_SSLvX are
unavailable.
_default_protocol = ssl.PROTOCOL_SSLv23 if _has_ssl_context else
ssl.PROTOCOL_TLSv1
{code}
And the SSL version should be passed as an argument to TSSLSocket.__init__
instead of overriding self.SSL_VERSION in TSSLSocketWithWildcardSAN.__init__.
The fix for IMPALA-5775 doesn't work against thrift 0.9.3. So if we use python
lower than 2.7.9 (for example, it's python2.7.5 on Red Hat/CentOS 7.5) and set
ssl_minimum_version to tlsv1.2, impala-shell command can't connect to impalad:
{code:java}
# impala-shell -i impalad01.example.com
-k --ssl --ca_cert=/etc/cdep-ssl-conf/CA_STANDARD/truststore.pem
SSL is enabled
No handlers could be found for logger "thrift.transport.TSSLSocket"
Error connecting: TTransportException, Could not connect to
impalad01.example.com:21000: EOF occurred in violation of protocol (_ssl.c:579)
{code}
> THRIFT-3505 breaks IMPALA-5775
> ------------------------------
>
> Key: IMPALA-8595
> URL: https://issues.apache.org/jira/browse/IMPALA-8595
> Project: IMPALA
> Issue Type: Bug
> Affects Versions: Impala 3.1.0
> Reporter: Robbie Zhang
> Assignee: Robbie Zhang
> Priority: Major
>
> IMPALA-5690 replaced thrift 0.9.0 with 0.9.3 in which THRIFT-3505 changed
> transport/TSSLSocket.py.
> In thrift 0.9.3, if the python version is lower than 2.7.9, TSSLSocket uses
> PROTOCOL_TLSv1 by default:
> {code:java}
> # For pythoon >= 2.7.9, use latest TLS that both client and server supports.
> # SSL 2.0 and 3.0 are disabled via ssl.OP_NO_SSLv2 and ssl.OP_NO_SSLv3.
> # For pythoon < 2.7.9, use TLS 1.0 since TLSv1_X nare OP_NO_SSLvX are
> unavailable.
> _default_protocol = ssl.PROTOCOL_SSLv23 if _has_ssl_context else
> ssl.PROTOCOL_TLSv1
> {code}
> And the SSL version should be passed as an argument to TSSLSocket.__init__
> instead of overriding self.SSL_VERSION in TSSLSocketWithWildcardSAN.__init__.
> The fix for IMPALA-5775 doesn't work against thrift 0.9.3. So if we use
> python lower than 2.7.9 (for example, it's python2.7.5 on Red Hat/CentOS 7.5)
> and set ssl_minimum_version to tlsv1.2, impala-shell command can't connect to
> impalad:
>
> {code:java}
> # impala-shell -i impalad01.example.com
> -k --ssl --ca_cert=/etc/cdep-ssl-conf/CA_STANDARD/truststore.pem
> SSL is enabled
> No handlers could be found for logger "thrift.transport.TSSLSocket"
> Error connecting: TTransportException, Could not connect to
> impalad01.example.com:21000: EOF occurred in violation of protocol
> (_ssl.c:579)
> {code}
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
