kudu-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jdcry...@apache.org
Subject [1/5] kudu git commit: ssl: switch to older APIs for initializing SSL
Date Mon, 07 Nov 2016 20:25:04 GMT
Repository: kudu
Updated Branches:
  refs/heads/master d4b1ea9d5 -> 8389f482b


ssl: switch to older APIs for initializing SSL

This enables support for OpenSSL 1.0.0 as found on RHEL 6.4.

Change-Id: I08fd5c3f6f8d2c228f760604dcecd7f1439578fb
Reviewed-on: http://gerrit.cloudera.org:8080/4957
Reviewed-by: Dan Burkert <danburkert@apache.org>
Tested-by: Kudu Jenkins


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/81f645c5
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/81f645c5
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/81f645c5

Branch: refs/heads/master
Commit: 81f645c56e1aba2743c014c67a61b71208b057ae
Parents: d4b1ea9
Author: Todd Lipcon <todd@apache.org>
Authored: Fri Nov 4 14:52:38 2016 -0700
Committer: Todd Lipcon <todd@apache.org>
Committed: Fri Nov 4 23:18:01 2016 +0000

----------------------------------------------------------------------
 src/kudu/util/net/ssl_factory.cc | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/81f645c5/src/kudu/util/net/ssl_factory.cc
----------------------------------------------------------------------
diff --git a/src/kudu/util/net/ssl_factory.cc b/src/kudu/util/net/ssl_factory.cc
index 68aa963..8751d77 100644
--- a/src/kudu/util/net/ssl_factory.cc
+++ b/src/kudu/util/net/ssl_factory.cc
@@ -75,13 +75,21 @@ SSLFactory::~SSLFactory() {
 
 Status SSLFactory::Init() {
   CHECK(!ctx_.get());
-  ctx_.reset(SSL_CTX_new(TLSv1_2_method()));
-  if (ctx_ == nullptr) {
+  // NOTE: 'SSLv23 method' sounds like it would enable only SSLv2 and SSLv3, but in fact
+  // this is a sort of wildcard which enables all methods (including TLSv1 and later).
+  // We explicitly disable SSLv2 and SSLv3 below so that only TLS methods remain.
+  // See the discussion on https://trac.torproject.org/projects/tor/ticket/11598 for more
+  // info.
+  ctx_.reset(SSL_CTX_new(SSLv23_method()));
+  if (!ctx_) {
     return Status::RuntimeError("Could not create SSL context");
   }
   SSL_CTX_set_mode(ctx_.get(), SSL_MODE_AUTO_RETRY);
-  SSL_CTX_set_options(ctx_.get(),
-      SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
+
+  // Disable SSLv2 and SSLv3 which are vulnerable to various issues such as POODLE.
+  // We support versions back to TLSv1.0 since OpenSSL on RHEL 6.4 and earlier does not
+  // not support TLSv1.1 or later.
+  SSL_CTX_set_options(ctx_.get(), SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
   SSL_CTX_set_verify(ctx_.get(),
       SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE, nullptr);
   return Status::OK();


Mime
View raw message