Hello Impala Public Jenkins, I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/20360 to look at the new patch set (#2). Change subject: IMPALA-11195: Disable SSL renegotiations for OpenSSL 1.0.2. ...................................................................... IMPALA-11195: Disable SSL renegotiations for OpenSSL 1.0.2. When OpenSSL 1.0.2 was being used Impala didn't disable SSL renegotiations correctly. It wasn't enough setting the flag SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS right after SSL_new() as due to an OpenSSL bug the SSL flags are getting reset in SSL_accept(). See https://github.com/openssl/openssl/discussions/21666 With this patch the followings happen depending on the OpenSSL versions: * OpenSSL 1.0.2: we set the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag in a callback function the same way as it is being set in various open source projects * OpenSSL 1.1.0h+: we set the SSL_OP_NO_RENEGOTIATION option in the SSL_CTX object * OpenSSL versions between the above two: we raise either compile-time error (when compiled with such version) or runtime warning (when Impala is running with such version) This patch also upgrades the native toolchain version to have a Thrift that is fixed the same way. Testing: * manually tested on CentOS 7.9 with >openssl s_client -connect <host>:<port> >R Initially it outputs that "Secure Renegotiation IS supported" because we can only set the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag after the handshake, but then prompting "R" doesn't do the renegotiation. Without these changes "R" renegotiates. Change-Id: I6fd6a8dedcbca8f50a16dbe68ebd8303e3e5aed1 --- M be/src/rpc/authentication.cc M be/src/thirdparty/squeasel/squeasel.c M bin/impala-config.sh 3 files changed, 30 insertions(+), 8 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/60/20360/2 -- To view, visit http://gerrit.cloudera.org:8080/20360 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I6fd6a8dedcbca8f50a16dbe68ebd8303e3e5aed1 Gerrit-Change-Number: 20360 Gerrit-PatchSet: 2 Gerrit-Owner: Zoltan Borok-Nagy <borokna...@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>