[
https://issues.apache.org/jira/browse/IMPALA-10069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17258329#comment-17258329
]
Joe McDonnell commented on IMPALA-10069:
----------------------------------------
I confirmed that this is related to the TLS 1.3 ciphersuites.
In prior versions, the set of acceptable ciphers was controlled by the
SSL_CTX_set_cipher_list(). The TLS 1.3 ciphersuites are now controlled by a
separate API: SSL_CTX_set_ciphersuites(). By default, there are valid TLS 1.3
ciphersuites available, so the behavior of SSL_CTX_set_cipher_list() is no
longer the same. Setting an invalid list of ciphers in
SSL_CTX_set_cipher_list() still leaves valid TLS 1.3 ciphersuites available, so
the BadCiphers and Webserver tests that expect startup failure don't fail the
way we expect. Setting the server and client to different ciphers (so they
cannot match) still leaves them sharing the TLS 1.3 ciphersuites, so they can
still communicate. This is why the MismatchedCiphers suite fails. The
BadCiphers failures would be addressed by the change listed above that fails
SSL_CTX_set_cipher_list() if no TLS 1.2 ciphers are available.
I have a code change that fixes this by disabling TLS 1.3, but that is not
desirable. One option is to provide an equivalent of ssl_cipher_list for the
TLS 1.3 ciphersuites (tls_ciphersuites_list?). The existing tests would pass if
this was set to exclude all TLS 1.3 ciphersuites. New tests could be added to
exercise the new option.
Fixing this would fix some pieces of IMPALA-10392. Centos 8 doesn't see the
BadCipher test failures (it must have the fix I mentioned previously), but it
does see the MismatchedCiphers failure. It has an additional failure that might
be related to security levels. See that Jira for more info.
> Cipher-specific BE tests fail on Ubuntu 18.04
> ---------------------------------------------
>
> Key: IMPALA-10069
> URL: https://issues.apache.org/jira/browse/IMPALA-10069
> Project: IMPALA
> Issue Type: Bug
> Components: Backend
> Affects Versions: Impala 4.0
> Reporter: Laszlo Gaal
> Priority: Critical
> Labels: broken-build, ramp-up
>
> When BE tests run on Ubuntu 18.04, the following BE tests fail:
> * RpcMgrTest.BadCiphersTls
> * SslTest.BadCiphers
> * SslTest.MismatchedCiphers
> * Webserver.SslCipherSuite
> These failures were observed both in Docker-based and in standalone builds;
> see e.g.
> https://jenkins.impala.io/job/ubuntu-18.04-from-scratch/33/testReport/
> Since Ubuntu 18.04 builds are not (yet) part of the precommit test suite, the
> priority is only raised to P2 (critical).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
