Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17268 )
Change subject: WIP [security] set minimum TLS protocol to TSLv1.2 ...................................................................... Patch Set 1: (3 comments) http://gerrit.cloudera.org:8080/#/c/17268/1//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/17268/1//COMMIT_MSG@12 PS1, Line 12: Supported server-side OSes have OpenSSL of at least version 1.0.1 : in their stock distribution, so Kudu servers running on supported : OSes automatically support TLSv1.2 > It sounds like older OS will work if a custom OpenSSL version is installed? Right. Even more: RHEL/CentOS 6.5 and newer will work fine after removing the CentOS6.4 OpenSSL API breakage workaround since those OSes use OpenSSL 1.0.1 and later in their stock distribution. http://gerrit.cloudera.org:8080/#/c/17268/1//COMMIT_MSG@24 PS1, Line 24: add more information on server/client incompatibilities with : this patch, i.e. what obsoleted server platforms would not be able : to talk to the newer C++ and Java clients > Adding this OpenSSL version requirement to the install documentation would Prior version of C++ and Java clients will work fine with newer servers as soon as: * C++ client compiled and run against OpenSSL 1.0.1 and laters * Java runtime is Java8 or later http://gerrit.cloudera.org:8080/#/c/17268/1/java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java File java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java: http://gerrit.cloudera.org:8080/#/c/17268/1/java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java@a150 PS1, Line 150: : I guess we can still keep this and the corresponding ciphers. The only needed change on the Java client side would be re-ordering the ciphers to put TLSv1.3 and TLSv1.2 ciphers with higher priority in the list. That way we can allow newest clients connect to Kudu servers running on RHEL6/CentOS6 and other EOL releases. -- To view, visit http://gerrit.cloudera.org:8080/17268 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I07633a04d3828100f148e5de3905094198d13396 Gerrit-Change-Number: 17268 Gerrit-PatchSet: 1 Gerrit-Owner: Alexey Serbin <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Grant Henke <[email protected]> Gerrit-Reviewer: Greg Solovyev <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Mon, 05 Apr 2021 16:32:47 +0000 Gerrit-HasComments: Yes
