[
https://issues.apache.org/jira/browse/IMPALA-14625?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jason Fehr updated IMPALA-14625:
--------------------------------
Description:
OpenSSL has different behavior for the SSL_CTX_set_ciphersuites() function
between OpenSSL 1.1.1 and 3.x. The OpenSSL docs say [invalid ciphersuites
passed to this function will be
ignored|https://docs.openssl.org/1.1.1/man3/SSL_CTX_set_cipher_list/#description:~:text=Items%20that%20are%20not%20recognized%2C%20because%20the%20corresponding%20ciphers%20are%20not%20compiled%20in%20or%20because%20they%20are%20mistyped%2C%20are%20simply%20ignored.%20Failure%20is%20only%20flagged%20if%20no%20ciphers%20could%20be%20collected%20at%20all.].
On OpenSSL 3.x, that is accurate. On OpenSSL 1.1.1, the
SSL_CTX_set_ciphersuites() function returns an error if any one of the provided
ciphersuites is invalid regardless of whether or not other valid TLS v1.3
ciphersuites were also provided. This situation results in Impala failing to
start with an error like:
{noformat}
F20251211 13:42:38.463414 1125299 impalad-main.cc:78] Could not build
messenger: Runtime error: failed to set TLSv1.3 ciphers:
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:foobar:
error:1426E0B9:SSL routines:ciphersuite_cb:no cipher
match:../ssl/ssl_ciph.c:1294
{noformat}
This error is confusing since some ciphersuites are valid. Need to provide
better a error message.
Possible solutions:
1. Update the error message in
[tls_context.cc|https://github.com/apache/impala/blob/9d112dae23870b6729473047da94f1bc0ea89ceb/be/src/kudu/security/tls_context.cc#L277]
to be "failed to set TLSv1.3 ciphers, ensure this list contains only TLS v1.3
ciphersuites and does not contain any TLS v1.2 ciphersuites: $0"
2. Parse the provided list of TLS v1.3 ciphersuites and use the OpenSSL API to
check if each ciphersuite is a valid TLS v1.3 ciphersuite.
was:
OpenSSL has different behavior for the SSL_CTX_set_ciphersuites() function
between OpenSSL 1.1.1 and 3.x. The OpenSSL docs say invalid ciphersuites
passed to this function will be ignored. On OpenSSL 3.x, that is accurate. On
OpenSSL 1.1.1, the SSL_CTX_set_ciphersuites() function returns an error. This
situation results in Impala failing to start with an error like:
{noformat}
F20251211 13:42:38.463414 1125299 impalad-main.cc:78] Could not build
messenger: Runtime error: failed to set TLSv1.3 ciphers:
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:foobar:
error:1426E0B9:SSL routines:ciphersuite_cb:no cipher
match:../ssl/ssl_ciph.c:1294
{noformat}
This error is confusing since some ciphersuites are valid. Need to provide
better a error message.
Possible solutions:
1. Update the error message in
[tls_context.cc|https://github.com/apache/impala/blob/9d112dae23870b6729473047da94f1bc0ea89ceb/be/src/kudu/security/tls_context.cc#L277]
to be "failed to set TLSv1.3 ciphers, ensure this list contains only TLS v1.3
ciphersuites and does not contain any TLS v1.2 ciphersuites: $0"
2. Parse the provided list of TLS v1.3 ciphersuites and use the OpenSSL API to
check if each ciphersuite is a valid TLS v1.3 ciphersuite.
> Startup Failure on Invalid TLS v1.3 CipherSuite and OpenSSL 1.1.1
> -----------------------------------------------------------------
>
> Key: IMPALA-14625
> URL: https://issues.apache.org/jira/browse/IMPALA-14625
> Project: IMPALA
> Issue Type: Improvement
> Reporter: Jason Fehr
> Priority: Critical
>
> OpenSSL has different behavior for the SSL_CTX_set_ciphersuites() function
> between OpenSSL 1.1.1 and 3.x. The OpenSSL docs say [invalid ciphersuites
> passed to this function will be
> ignored|https://docs.openssl.org/1.1.1/man3/SSL_CTX_set_cipher_list/#description:~:text=Items%20that%20are%20not%20recognized%2C%20because%20the%20corresponding%20ciphers%20are%20not%20compiled%20in%20or%20because%20they%20are%20mistyped%2C%20are%20simply%20ignored.%20Failure%20is%20only%20flagged%20if%20no%20ciphers%20could%20be%20collected%20at%20all.].
> On OpenSSL 3.x, that is accurate. On OpenSSL 1.1.1, the
> SSL_CTX_set_ciphersuites() function returns an error if any one of the
> provided ciphersuites is invalid regardless of whether or not other valid TLS
> v1.3 ciphersuites were also provided. This situation results in Impala
> failing to start with an error like:
> {noformat}
> F20251211 13:42:38.463414 1125299 impalad-main.cc:78] Could not build
> messenger: Runtime error: failed to set TLSv1.3 ciphers:
> TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:foobar:
> error:1426E0B9:SSL routines:ciphersuite_cb:no cipher
> match:../ssl/ssl_ciph.c:1294
> {noformat}
> This error is confusing since some ciphersuites are valid. Need to provide
> better a error message.
> Possible solutions:
> 1. Update the error message in
> [tls_context.cc|https://github.com/apache/impala/blob/9d112dae23870b6729473047da94f1bc0ea89ceb/be/src/kudu/security/tls_context.cc#L277]
> to be "failed to set TLSv1.3 ciphers, ensure this list contains only TLS
> v1.3 ciphersuites and does not contain any TLS v1.2 ciphersuites: $0"
> 2. Parse the provided list of TLS v1.3 ciphersuites and use the OpenSSL API
> to check if each ciphersuite is a valid TLS v1.3 ciphersuite.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
