[
https://issues.apache.org/jira/browse/IMPALA-11240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joe McDonnell reassigned IMPALA-11240:
--------------------------------------
Assignee: Joe McDonnell
> Revisit the default value for ssl_cipher_list to eliminate insecure ciphers
> ---------------------------------------------------------------------------
>
> Key: IMPALA-11240
> URL: https://issues.apache.org/jira/browse/IMPALA-11240
> Project: IMPALA
> Issue Type: Improvement
> Components: Security
> Affects Versions: Impala 4.1.0
> Reporter: Joe McDonnell
> Assignee: Joe McDonnell
> Priority: Major
>
> The default value for ssl_cipher_list is empty, which uses any cipher
> supported by the operating system's OpenSSL version. Some older ciphers are
> known to be weak, and Mozilla's guide to server side SSL settings recommends
> restricting the SSL ciphers:
> [https://wiki.mozilla.org/Security/Server_Side_TLS]
> In particular, a curated list based on the intermediate compatibility level
> seems like a reasonable way to improve security. For example, Kudu restricts
> SSL ciphers to this list:
> [https://github.com/apache/kudu/blob/master/src/kudu/security/security_flags.cc#L30]
> {noformat}
> const char* const SecurityDefaults::SecurityDefaults::kDefaultTlsCiphers =
> "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:"
> "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:"
> "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";{noformat}
> We should consider doing something similar.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
