[Impala-ASF-CR] IMPALA-11195: Disable SSL renegotiations for OpenSSL 1.0.2.

Tue, 15 Aug 2023 03:32:48 -0700 

Hello Impala Public Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/20360

to look at the new patch set (#2).

Change subject: IMPALA-11195: Disable SSL renegotiations for OpenSSL 1.0.2.
......................................................................

IMPALA-11195: Disable SSL renegotiations for OpenSSL 1.0.2.

When OpenSSL 1.0.2 was being used Impala didn't disable SSL
renegotiations correctly. It wasn't enough setting the flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS right after SSL_new() as
due to an OpenSSL bug the SSL flags are getting reset in SSL_accept().
See https://github.com/openssl/openssl/discussions/21666

With this patch the followings happen depending on the OpenSSL versions:

* OpenSSL 1.0.2: we set the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag in
  a callback function the same way as it is being set in various
  open source projects
* OpenSSL 1.1.0h+: we set the SSL_OP_NO_RENEGOTIATION option in the
  SSL_CTX object
* OpenSSL versions between the above two: we raise either compile-time
  error (when compiled with such version) or runtime warning (when
  Impala is running with such version)

This patch also upgrades the native toolchain version to have a Thrift
that is fixed the same way.

Testing:
* manually tested on CentOS 7.9 with
  >openssl s_client -connect <host>:<port>
  >R
  Initially it outputs that "Secure Renegotiation IS supported" because
  we can only set the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag after the
  handshake, but then prompting "R" doesn't do the renegotiation.
  Without these changes "R" renegotiates.

Change-Id: I6fd6a8dedcbca8f50a16dbe68ebd8303e3e5aed1
---
M be/src/rpc/authentication.cc
M be/src/thirdparty/squeasel/squeasel.c
M bin/impala-config.sh
3 files changed, 30 insertions(+), 8 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/60/20360/2
-- 
To view, visit http://gerrit.cloudera.org:8080/20360
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I6fd6a8dedcbca8f50a16dbe68ebd8303e3e5aed1
Gerrit-Change-Number: 20360
Gerrit-PatchSet: 2
Gerrit-Owner: Zoltan Borok-Nagy <borokna...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>

Reply via email to