Joe McDonnell created IMPALA-11240:
--------------------------------------
Summary: Revisit the default value for ssl_cipher_list to
eliminate insecure ciphers
Key: IMPALA-11240
URL: https://issues.apache.org/jira/browse/IMPALA-11240
Project: IMPALA
Issue Type: Improvement
Components: Security
Affects Versions: Impala 4.1.0
Reporter: Joe McDonnell
The default value for ssl_cipher_list is empty, which uses any cipher supported
by the operating system's OpenSSL version. Some older ciphers are known to be
weak, and Mozilla's guide to server side SSL settings recommends restricting
the SSL ciphers:
[https://wiki.mozilla.org/Security/Server_Side_TLS]
In particular, a curated list based on the intermediate compatibility level
seems like a reasonable way to improve security. For example, Kudu restricts
SSL ciphers to this list:
[https://github.com/apache/kudu/blob/master/src/kudu/security/security_flags.cc#L30]
{noformat}
const char* const SecurityDefaults::SecurityDefaults::kDefaultTlsCiphers =
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:"
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:"
"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";{noformat}
We should consider doing something similar.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
