[native-toolchain-CR] thrift-0.9.3-p4: forward compatibility of TLS protocols

[Tianyi Wang (Code Review)]

Tianyi Wang has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/10129 )

Change subject: thrift-0.9.3-p4: forward compatibility of TLS protocols
..


Patch Set 3: Verified+1


--
To view, visit http://gerrit.cloudera.org:8080/10129
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ifdca94a9426feff5ab52a80cf4da669a3fbfe812
Gerrit-Change-Number: 10129
Gerrit-PatchSet: 3
Gerrit-Owner: Tianyi Wang 
Gerrit-Reviewer: Michael Ho 
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-Reviewer: Tianyi Wang 
Gerrit-Comment-Date: Wed, 25 Apr 2018 18:40:25 +
Gerrit-HasComments: No

[native-toolchain-CR] thrift-0.9.3-p4: forward compatibility of TLS protocols

[Tianyi Wang (Code Review)]

Tianyi Wang has submitted this change and it was merged. ( 
http://gerrit.cloudera.org:8080/10129 )

Change subject: thrift-0.9.3-p4: forward compatibility of TLS protocols
..

thrift-0.9.3-p4: forward compatibility of TLS protocols

This patch adds thrift-0.9.3-p4. In thrift-0.9.3-p3, TLS protocols are
not forward-compatible. A server using TLSv1_x only works with a client
using the same protocol. This patch changes thrift into using
SSLv23_method() and disabling undesired protocols using flags. TLSv1_x
will behave like TLSv1_x_plus in thrift-0.9.0-p11 and is compatible with
later versions.

Change-Id: Ifdca94a9426feff5ab52a80cf4da669a3fbfe812
Reviewed-on: http://gerrit.cloudera.org:8080/10129
Reviewed-by: Tianyi Wang 
Reviewed-by: Sailesh Mukil 
Tested-by: Tianyi Wang 
---
M buildall.sh
A source/thrift/thrift-0.9.3-patches/0004-TLS-forward-compatibility.patch
2 files changed, 56 insertions(+), 1 deletion(-)

Approvals:
  Tianyi Wang: Looks good to me, but someone else must approve; Verified
  Sailesh Mukil: Looks good to me, approved

--
To view, visit http://gerrit.cloudera.org:8080/10129
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: Ifdca94a9426feff5ab52a80cf4da669a3fbfe812
Gerrit-Change-Number: 10129
Gerrit-PatchSet: 4
Gerrit-Owner: Tianyi Wang 
Gerrit-Reviewer: Michael Ho 
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-Reviewer: Tianyi Wang 

[native-toolchain-CR] thrift-0.9.3-p4: forward compatibility of TLS protocols

[Sailesh Mukil (Code Review)]

Sailesh Mukil has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/10129 )

Change subject: thrift-0.9.3-p4: forward compatibility of TLS protocols
..


Patch Set 3: Code-Review+2


--
To view, visit http://gerrit.cloudera.org:8080/10129
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ifdca94a9426feff5ab52a80cf4da669a3fbfe812
Gerrit-Change-Number: 10129
Gerrit-PatchSet: 3
Gerrit-Owner: Tianyi Wang 
Gerrit-Reviewer: Michael Ho 
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-Reviewer: Tianyi Wang 
Gerrit-Comment-Date: Tue, 24 Apr 2018 20:41:16 +
Gerrit-HasComments: No

[native-toolchain-CR] thrift-0.9.3-p4: forward compatibility of TLS protocols

[Tianyi Wang (Code Review)]

Tianyi Wang has uploaded a new patch set (#3). ( 
http://gerrit.cloudera.org:8080/10129 )

Change subject: thrift-0.9.3-p4: forward compatibility of TLS protocols
..

thrift-0.9.3-p4: forward compatibility of TLS protocols

This patch adds thrift-0.9.3-p4. In thrift-0.9.3-p3, TLS protocols are
not forward-compatible. A server using TLSv1_x only works with a client
using the same protocol. This patch changes thrift into using
SSLv23_method() and disabling undesired protocols using flags. TLSv1_x
will behave like TLSv1_x_plus in thrift-0.9.0-p11 and is compatible with
later versions.

Change-Id: Ifdca94a9426feff5ab52a80cf4da669a3fbfe812
---
M buildall.sh
A source/thrift/thrift-0.9.3-patches/0004-TLS-forward-compatibility.patch
2 files changed, 56 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.cloudera.org:29418/native-toolchain 
refs/changes/29/10129/3
--
To view, visit http://gerrit.cloudera.org:8080/10129
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ifdca94a9426feff5ab52a80cf4da669a3fbfe812
Gerrit-Change-Number: 10129
Gerrit-PatchSet: 3
Gerrit-Owner: Tianyi Wang 
Gerrit-Reviewer: Michael Ho 
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-Reviewer: Tianyi Wang 

[native-toolchain-CR] thrift-0.9.3-p4: forward compatibility of TLS protocols

[Michael Ho (Code Review)]

Michael Ho has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/10129 )

Change subject: thrift-0.9.3-p4: forward compatibility of TLS protocols
..


Patch Set 2: Code-Review+1

(1 comment)

Please have Sailesh take a look too.

http://gerrit.cloudera.org:8080/#/c/10129/1/source/thrift/thrift-0.9.3-patches/0004-TLS-forward-compatibility.patch
File source/thrift/thrift-0.9.3-patches/0004-TLS-forward-compatibility.patch:

http://gerrit.cloudera.org:8080/#/c/10129/1/source/thrift/thrift-0.9.3-patches/0004-TLS-forward-compatibility.patch@33
PS1, Line 33: +  break;
May wanna include "protocol" in the exception string.



--
To view, visit http://gerrit.cloudera.org:8080/10129
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ifdca94a9426feff5ab52a80cf4da669a3fbfe812
Gerrit-Change-Number: 10129
Gerrit-PatchSet: 2
Gerrit-Owner: Tianyi Wang 
Gerrit-Reviewer: Michael Ho 
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-Reviewer: Tianyi Wang 
Gerrit-Comment-Date: Mon, 23 Apr 2018 20:57:08 +
Gerrit-HasComments: Yes

[native-toolchain-CR] thrift-0.9.3-p4: forward compatibility of TLS protocols

[Tianyi Wang (Code Review)]

Tianyi Wang has uploaded a new patch set (#2). ( 
http://gerrit.cloudera.org:8080/10129 )

Change subject: thrift-0.9.3-p4: forward compatibility of TLS protocols
..

thrift-0.9.3-p4: forward compatibility of TLS protocols

This patch adds thrift-0.9.3-p4. In thrift-0.9.3-p3, TLS protocols are
not forward-compatible. A server using TLSv1_x only works with a client
using the same protocol. This patch changes thrift into using
SSLv23_method() and disabling undesired protocols using flags. TLSv1_x
will behave like TLSv1_x_plus in thrift-0.9.0-p11 and is compatible with
later versions.

Change-Id: Ifdca94a9426feff5ab52a80cf4da669a3fbfe812
---
M buildall.sh
A source/thrift/thrift-0.9.3-patches/0004-TLS-forward-compatibility.patch
2 files changed, 55 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.cloudera.org:29418/native-toolchain 
refs/changes/29/10129/2
--
To view, visit http://gerrit.cloudera.org:8080/10129
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ifdca94a9426feff5ab52a80cf4da669a3fbfe812
Gerrit-Change-Number: 10129
Gerrit-PatchSet: 2
Gerrit-Owner: Tianyi Wang 
Gerrit-Reviewer: Michael Ho 
Gerrit-Reviewer: Sailesh Mukil 
Gerrit-Reviewer: Tianyi Wang 

[native-toolchain-CR] thrift-0.9.3-p4: forward compatibility of TLS protocols

[Michael Ho (Code Review)]

Michael Ho has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/10129 )

Change subject: thrift-0.9.3-p4: forward compatibility of TLS protocols
..


Patch Set 1:

(2 comments)

http://gerrit.cloudera.org:8080/#/c/10129/1/source/thrift/thrift-0.9.3-patches/0004-TLS-forward-compatibility.patch
File source/thrift/thrift-0.9.3-patches/0004-TLS-forward-compatibility.patch:

http://gerrit.cloudera.org:8080/#/c/10129/1/source/thrift/thrift-0.9.3-patches/0004-TLS-forward-compatibility.patch@24
PS1, Line 24: +  int options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
This may warrant a comment copied from below.

// Disable horribly insecure SSLv2 and SSLv3 protocols but allow a handshake
// with older clients so they get a graceful denial.


http://gerrit.cloudera.org:8080/#/c/10129/1/source/thrift/thrift-0.9.3-patches/0004-TLS-forward-compatibility.patch@30
PS1, Line 30: case TLSv1_0:
Should this also include SSLTLS ?



--
To view, visit http://gerrit.cloudera.org:8080/10129
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ifdca94a9426feff5ab52a80cf4da669a3fbfe812
Gerrit-Change-Number: 10129
Gerrit-PatchSet: 1
Gerrit-Owner: Tianyi Wang 
Gerrit-Reviewer: Michael Ho 
Gerrit-Comment-Date: Mon, 23 Apr 2018 18:12:56 +
Gerrit-HasComments: Yes

[native-toolchain-CR] thrift-0.9.3-p4: forward compatibility of TLS protocols

[Tianyi Wang (Code Review)]

Tianyi Wang has uploaded this change for review. ( 
http://gerrit.cloudera.org:8080/10129


Change subject: thrift-0.9.3-p4: forward compatibility of TLS protocols
..

thrift-0.9.3-p4: forward compatibility of TLS protocols

This patch adds thrift-0.9.3-p4. In thrift-0.9.3-p3, TLS protocols are
not forward-compatible. A server using TLSv1_x only works with a client
using the same protocol. This patch changes thrift into using
SSLv23_method() and disabling undesired protocols using flags. TLSv1_x
will behave like TLSv1_x_plus in thrift-0.9.0-p11 and is compatible with
later versions.

Change-Id: Ifdca94a9426feff5ab52a80cf4da669a3fbfe812
---
M buildall.sh
A source/thrift/thrift-0.9.3-patches/0004-TLS-forward-compatibility.patch
2 files changed, 53 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.cloudera.org:29418/native-toolchain 
refs/changes/29/10129/1
--
To view, visit http://gerrit.cloudera.org:8080/10129
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: native-toolchain
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ifdca94a9426feff5ab52a80cf4da669a3fbfe812
Gerrit-Change-Number: 10129
Gerrit-PatchSet: 1
Gerrit-Owner: Tianyi Wang