kudu-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From danburk...@apache.org
Subject kudu git commit: KUDU-2190: Strengthen default webserver TLS ciphers
Date Tue, 17 Oct 2017 01:38:44 GMT
Repository: kudu
Updated Branches:
  refs/heads/master 29514389a -> 57b8b8fdf


KUDU-2190: Strengthen default webserver TLS ciphers

This commit adds two new advanced flags: 'webserver-tls-ciphers' and
'webserver-tls-min-protocol', which can be configured to change the
webserver's list of available ciphers and TLS protocol version,
respectively. They work exactly the same as the existing
'rpc-tls-ciphers' and 'rpc-tls-min-protocol' flags which apply to KRPC.

In addition, this commit changes the default cipher suite exposed by the
webserver: instead of using the platform's default OpenSSL cipher suite,
which can be insecure on older platforms, it uses the same suite we've
been using succesfully with KRPC.

Testing: there are no automated tests provided, but I have manually
verified that the webserver no longer advertises 3DES and RC4 ciphers
using a script modified from [1].

[1]: https://superuser.com/a/224263

Change-Id: I9169e5dc30ba52251347241dca4c1ca490f581c9
Reviewed-on: http://gerrit.cloudera.org:8080/8286
Reviewed-by: Alexey Serbin <aserbin@cloudera.com>
Tested-by: Kudu Jenkins


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/57b8b8fd
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/57b8b8fd
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/57b8b8fd

Branch: refs/heads/master
Commit: 57b8b8fdf33b312ab4a5d70e98dfe5e98a491b17
Parents: 2951438
Author: Dan Burkert <danburkert@apache.org>
Authored: Mon Oct 16 15:59:30 2017 -0700
Committer: Dan Burkert <danburkert@apache.org>
Committed: Tue Oct 17 01:38:31 2017 +0000

----------------------------------------------------------------------
 src/kudu/server/webserver.cc         |  5 +++++
 src/kudu/server/webserver_options.cc | 22 ++++++++++++++++++++++
 src/kudu/server/webserver_options.h  |  2 ++
 thirdparty/vars.sh                   |  2 +-
 4 files changed, 30 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/57b8b8fd/src/kudu/server/webserver.cc
----------------------------------------------------------------------
diff --git a/src/kudu/server/webserver.cc b/src/kudu/server/webserver.cc
index 58a7f8e..4812001 100644
--- a/src/kudu/server/webserver.cc
+++ b/src/kudu/server/webserver.cc
@@ -207,6 +207,11 @@ Status Webserver::Start() {
       options.emplace_back("ssl_private_key_password");
       options.push_back(key_password); // maybe empty if not configured.
     }
+
+    options.emplace_back("ssl_ciphers");
+    options.emplace_back(opts_.tls_ciphers);
+    options.emplace_back("ssl_min_version");
+    options.emplace_back(opts_.tls_min_protocol);
   }
 
   if (!opts_.authentication_domain.empty()) {

http://git-wip-us.apache.org/repos/asf/kudu/blob/57b8b8fd/src/kudu/server/webserver_options.cc
----------------------------------------------------------------------
diff --git a/src/kudu/server/webserver_options.cc b/src/kudu/server/webserver_options.cc
index e25ea2a..a0bf92c 100644
--- a/src/kudu/server/webserver_options.cc
+++ b/src/kudu/server/webserver_options.cc
@@ -95,6 +95,26 @@ DEFINE_int32(webserver_port, 0,
              "Port to bind to for the web server");
 TAG_FLAG(webserver_port, stable);
 
+DEFINE_string(webserver_tls_ciphers,
+              // See security/tls_context.cc for origin of this list.
+              "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:"
+              "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"
+              "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:"
+              "ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:"
+              "ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:"
+              "AES256-GCM-SHA384:AES128-GCM-SHA256:"
+              "AES256-SHA256:AES128-SHA256:"
+              "AES256-SHA:AES128-SHA",
+              "The cipher suite preferences to use for webserver HTTPS connections. "
+              "Uses the OpenSSL cipher preference list format. See man (1) ciphers "
+              "for more information.");
+TAG_FLAG(webserver_tls_ciphers, advanced);
+
+DEFINE_string(webserver_tls_min_protocol, "TLSv1",
+              "The minimum protocol version to allow when for webserver HTTPS "
+              "connections. May be one of 'TLSv1', 'TLSv1.1', or 'TLSv1.2'.");
+TAG_FLAG(webserver_tls_min_protocol, advanced);
+
 namespace kudu {
 
 static bool ValidateTlsFlags() {
@@ -135,6 +155,8 @@ WebserverOptions::WebserverOptions()
     private_key_password_cmd(FLAGS_webserver_private_key_password_cmd),
     authentication_domain(FLAGS_webserver_authentication_domain),
     password_file(FLAGS_webserver_password_file),
+    tls_ciphers(FLAGS_webserver_tls_ciphers),
+    tls_min_protocol(FLAGS_webserver_tls_min_protocol),
     num_worker_threads(FLAGS_webserver_num_worker_threads) {
 }
 

http://git-wip-us.apache.org/repos/asf/kudu/blob/57b8b8fd/src/kudu/server/webserver_options.h
----------------------------------------------------------------------
diff --git a/src/kudu/server/webserver_options.h b/src/kudu/server/webserver_options.h
index 1d1abb1..b0d2df0 100644
--- a/src/kudu/server/webserver_options.h
+++ b/src/kudu/server/webserver_options.h
@@ -38,6 +38,8 @@ struct WebserverOptions {
   std::string private_key_password_cmd;
   std::string authentication_domain;
   std::string password_file;
+  std::string tls_ciphers;
+  std::string tls_min_protocol;
   uint32_t num_worker_threads;
 };
 

http://git-wip-us.apache.org/repos/asf/kudu/blob/57b8b8fd/thirdparty/vars.sh
----------------------------------------------------------------------
diff --git a/thirdparty/vars.sh b/thirdparty/vars.sh
index 4ff2bc4..4451e8a 100644
--- a/thirdparty/vars.sh
+++ b/thirdparty/vars.sh
@@ -93,7 +93,7 @@ RAPIDJSON_SOURCE=$TP_SOURCE_DIR/$RAPIDJSON_NAME
 #  export NAME=squeasel-$(git rev-parse HEAD)
 #  git archive HEAD --prefix=$NAME/ -o /tmp/$NAME.tar.gz
 #  s3cmd put -P /tmp/$NAME.tar.gz s3://cloudera-thirdparty-libs/$NAME.tar.gz
-SQUEASEL_VERSION=c304d3f3481b07bf153979155f02e0aab24d01de
+SQUEASEL_VERSION=9335b81317a6451d5a37c5dc7ec088eecbf68c82
 SQUEASEL_NAME=squeasel-$SQUEASEL_VERSION
 SQUEASEL_SOURCE=$TP_SOURCE_DIR/$SQUEASEL_NAME
 


Mime
View raw message