[
https://issues.apache.org/jira/browse/KUDU-3087?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17067064#comment-17067064
]
ASF subversion and git services commented on KUDU-3087:
-------------------------------------------------------
Commit 11d6686432b7ce980310447f4b8e44150d3f6f93 in kudu's branch
refs/heads/master from Alexey Serbin
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=11d6686 ]
[python] KUDU-3087 use 2048-bit RSA keys for CA and server certs
In changelist 3343144fe, the external mini-cluster is configured to use
768-bit RSA cryptography for CA and server TLS certificates. To
make this work with OpenSSL 1.1.x, it's necessary to set security
level to 0 for the client side. That's done for C++ and Java tests in
the mentioned changelist, but Python tests were not updated
correspondingly.
This patch addresses the described issue for tests in the kudu-python
project. Since kudu-python is a wrapper around kudu-client C++ library,
it's not trivial to configure the security level using gflags in a
non-invasive way. The solution is to make kudu-master and kudu-tserver
processes using 2048-bit RSA keys instead of 768-bit ones, allowing the
tests in kudu-python to pass on contemporary or security-hardened Linux
distros which set security level 2 by default for the OpenSSL library.
This is a follow-up to 3343144fefaad5a30e95e21297c64c78e308fa1f.
Change-Id: I740d81291832bfc28c395443f2c01b0c9a7dbadf
Reviewed-on: http://gerrit.cloudera.org:8080/15554
Tested-by: Alexey Serbin <[email protected]>
Reviewed-by: <[email protected]>
Reviewed-by: Grant Henke <[email protected]>
Reviewed-by: Adar Dembo <[email protected]>
> Python tests failed on arm64
> ----------------------------
>
> Key: KUDU-3087
> URL: https://issues.apache.org/jira/browse/KUDU-3087
> Project: Kudu
> Issue Type: Sub-task
> Reporter: huangtianhua
> Assignee: Alexey Serbin
> Priority: Major
> Attachments: python_test.rar
>
>
> I took python tests for kudu on arm64 platform based on
> https://gerrit.cloudera.org/#/c/14964/ the tests failed, error info as
> below:
> W0323 02:54:39.938022 9110 negotiation.cc:313] Failed RPC negotiation. Trace:
> 0323 02:54:39.936597 (+ 0us) reactor.cc:604] Submitting negotiation task
> for client connection to 127.8.25.194:34669
> 0323 02:54:39.936737 (+ 140us) negotiation.cc:98] Waiting for socket to
> connect
> 0323 02:54:39.936746 (+ 9us) client_negotiation.cc:169] Beginning
> negotiation
> 0323 02:54:39.936810 (+ 64us) client_negotiation.cc:246] Sending NEGOTIATE
> NegotiatePB request
> 0323 02:54:39.937073 (+ 263us) client_negotiation.cc:263] Received
> NEGOTIATE NegotiatePB response
> 0323 02:54:39.937074 (+ 1us) client_negotiation.cc:357] Received
> NEGOTIATE response from server
> 0323 02:54:39.937079 (+ 5us) client_negotiation.cc:184] Negotiated
> authn=TOKEN
> 0323 02:54:39.937168 (+ 89us) client_negotiation.cc:473] Sending
> TLS_HANDSHAKE message to server
> 0323 02:54:39.937171 (+ 3us) client_negotiation.cc:246] Sending
> TLS_HANDSHAKE NegotiatePB request
> 0323 02:54:39.937724 (+ 553us) client_negotiation.cc:263] Received
> TLS_HANDSHAKE NegotiatePB response
> 0323 02:54:39.937726 (+ 2us) client_negotiation.cc:486] Received
> TLS_HANDSHAKE response from server
> 0323 02:54:39.937906 (+ 180us) negotiation.cc:304] Negotiation complete:
> Runtime error: Client connection negotiation failed: client connection to
> 127.8.25.194:34669: TLS Handshake error: error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify
> failed:../ssl/statem/statem_clnt.c:1924
> Metrics:
> {"client-negotiator.queue_time_us":90,"thread_start_us":41,"threads_started":1}
> The python tests were successful before the commit
> https://github.com/apache/kudu/commit/3343144fefaad5a30e95e21297c64c78e308fa1f
> and I tried to remove this commit based on master and then the python tests
> are success, seems the problem introduced by
> https://github.com/apache/kudu/commit/3343144fefaad5a30e95e21297c64c78e308fa1f,
> but I am sorry I can't fix this, could someone help me?Thanks.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
