[ https://issues.apache.org/jira/browse/IMPALA-10069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17258329#comment-17258329 ]
Joe McDonnell commented on IMPALA-10069: ---------------------------------------- I confirmed that this is related to the TLS 1.3 ciphersuites. In prior versions, the set of acceptable ciphers was controlled by the SSL_CTX_set_cipher_list(). The TLS 1.3 ciphersuites are now controlled by a separate API: SSL_CTX_set_ciphersuites(). By default, there are valid TLS 1.3 ciphersuites available, so the behavior of SSL_CTX_set_cipher_list() is no longer the same. Setting an invalid list of ciphers in SSL_CTX_set_cipher_list() still leaves valid TLS 1.3 ciphersuites available, so the BadCiphers and Webserver tests that expect startup failure don't fail the way we expect. Setting the server and client to different ciphers (so they cannot match) still leaves them sharing the TLS 1.3 ciphersuites, so they can still communicate. This is why the MismatchedCiphers suite fails. The BadCiphers failures would be addressed by the change listed above that fails SSL_CTX_set_cipher_list() if no TLS 1.2 ciphers are available. I have a code change that fixes this by disabling TLS 1.3, but that is not desirable. One option is to provide an equivalent of ssl_cipher_list for the TLS 1.3 ciphersuites (tls_ciphersuites_list?). The existing tests would pass if this was set to exclude all TLS 1.3 ciphersuites. New tests could be added to exercise the new option. Fixing this would fix some pieces of IMPALA-10392. Centos 8 doesn't see the BadCipher test failures (it must have the fix I mentioned previously), but it does see the MismatchedCiphers failure. It has an additional failure that might be related to security levels. See that Jira for more info. > Cipher-specific BE tests fail on Ubuntu 18.04 > --------------------------------------------- > > Key: IMPALA-10069 > URL: https://issues.apache.org/jira/browse/IMPALA-10069 > Project: IMPALA > Issue Type: Bug > Components: Backend > Affects Versions: Impala 4.0 > Reporter: Laszlo Gaal > Priority: Critical > Labels: broken-build, ramp-up > > When BE tests run on Ubuntu 18.04, the following BE tests fail: > * RpcMgrTest.BadCiphersTls > * SslTest.BadCiphers > * SslTest.MismatchedCiphers > * Webserver.SslCipherSuite > These failures were observed both in Docker-based and in standalone builds; > see e.g. > https://jenkins.impala.io/job/ubuntu-18.04-from-scratch/33/testReport/ > Since Ubuntu 18.04 builds are not (yet) part of the precommit test suite, the > priority is only raised to P2 (critical). -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org