[ https://issues.apache.org/jira/browse/IMPALA-11240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joe McDonnell resolved IMPALA-11240. ------------------------------------ Fix Version/s: Impala 4.2.0 Resolution: Fixed > Revisit the default value for ssl_cipher_list to eliminate insecure ciphers > --------------------------------------------------------------------------- > > Key: IMPALA-11240 > URL: https://issues.apache.org/jira/browse/IMPALA-11240 > Project: IMPALA > Issue Type: Improvement > Components: Security > Affects Versions: Impala 4.1.0 > Reporter: Joe McDonnell > Assignee: Joe McDonnell > Priority: Major > Fix For: Impala 4.2.0 > > > The default value for ssl_cipher_list is empty, which uses any cipher > supported by the operating system's OpenSSL version. Some older ciphers are > known to be weak, and Mozilla's guide to server side SSL settings recommends > restricting the SSL ciphers: > [https://wiki.mozilla.org/Security/Server_Side_TLS] > In particular, a curated list based on the intermediate compatibility level > seems like a reasonable way to improve security. For example, Kudu restricts > SSL ciphers to this list: > [https://github.com/apache/kudu/blob/master/src/kudu/security/security_flags.cc#L30] > {noformat} > const char* const SecurityDefaults::SecurityDefaults::kDefaultTlsCiphers = > "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" > "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" > "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";{noformat} > We should consider doing something similar. -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org