Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/7821 )
Change subject: rpc: allow setting --rpc_tls_min_protocol on older RHEL versions ...................................................................... Patch Set 2: (1 comment) http://gerrit.cloudera.org:8080/#/c/7821/2/src/kudu/security/tls_context.cc File src/kudu/security/tls_context.cc: http://gerrit.cloudera.org:8080/#/c/7821/2/src/kudu/security/tls_context.cc@52 PS2, Line 52: // --rpc-tls-min-protocol=TLSv1.2 option, negotiations will fail at runtime with : // a 'missing protocol' error: : / > is there any way we can make this fail earlier? ie at startup rather than a I think it's possible to look at SSLv23_method()->version just after initialization of the OpenSSL library. It looks like a hack, but it works for the way how the SSLv23_method() is implemented. As a POC, I compiled the code below at CentOS 6.4 with OpenSSL 1.0.0-stable and then ran both against 1.0.0u and 1.0.1e version. The output was (it's in hexadecimal): 1.0.0u: 301 1.0.1e: 303 301 corresponds to TLSv1 303 corresponds to TLSv1.2 -------- #include <openssl/ssl.h> #include <openssl/err.h> #include <iostream> using namespace std; void init_openssl() { SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); } void cleanup_openssl() { EVP_cleanup(); } int main() { init_openssl(); cout << std::hex << SSLv23_method()->version << endl; cleanup_openssl(); return 0; } -------- -- To view, visit http://gerrit.cloudera.org:8080/7821 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ic61f31788d63072fae609c6a2186e52d5e2467b7 Gerrit-Change-Number: 7821 Gerrit-PatchSet: 2 Gerrit-Owner: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Adar Dembo <a...@cloudera.com> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Henry Robinson <he...@cloudera.com> Gerrit-Reviewer: Todd Lipcon <t...@apache.org> Gerrit-Comment-Date: Thu, 11 Jan 2018 21:20:45 +0000 Gerrit-HasComments: Yes