Zoltan Borok-Nagy has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/18347 )
Change subject: IMPALA-11195: Disable SSL session renegotiation ...................................................................... IMPALA-11195: Disable SSL session renegotiation This patch disables TLS ciphers renegotiation for TLSv1.2 and prior protocol versions. Renegotiation is not possible in a TLSv1.3 connection. In case of OpenSSL version 1.1.0h and newer, we are using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations. In case of OpenSSL version prior to 1.1.0a, the undocumented flag SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used. The moot point is the version interval between 1.1.0a and 1.1.0g (inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer available from the application side, but SSL_OP_NO_RENEGOTIATION is not yet present. So, if a server binary has been compiled with OpenSSL in the specified version range, it's still advertising the renegotiation option, even if it's run against OpenSSL 1.1.0h or later versions. Change-Id: I44ee3ff729798834fdda5862f4e50dae8bb287a2 Reviewed-on: http://gerrit.cloudera.org:8080/18347 Reviewed-by: Riza Suminto <riza.sumi...@cloudera.com> Reviewed-by: Joe McDonnell <joemcdonn...@cloudera.com> Tested-by: Zoltan Borok-Nagy <borokna...@cloudera.com> --- M buildall.sh A source/thrift/thrift-0.11.0-patches/0005-IMPALA-11195-Disable-SSL-renegotiations.patch 2 files changed, 55 insertions(+), 1 deletion(-) Approvals: Riza Suminto: Looks good to me, but someone else must approve Joe McDonnell: Looks good to me, approved Zoltan Borok-Nagy: Verified -- To view, visit http://gerrit.cloudera.org:8080/18347 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: native-toolchain Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I44ee3ff729798834fdda5862f4e50dae8bb287a2 Gerrit-Change-Number: 18347 Gerrit-PatchSet: 2 Gerrit-Owner: Zoltan Borok-Nagy <borokna...@cloudera.com> Gerrit-Reviewer: Joe McDonnell <joemcdonn...@cloudera.com> Gerrit-Reviewer: Riza Suminto <riza.sumi...@cloudera.com> Gerrit-Reviewer: Zoltan Borok-Nagy <borokna...@cloudera.com>
