[ https://issues.apache.org/jira/browse/KUDU-3210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17233245#comment-17233245 ]
ASF subversion and git services commented on KUDU-3210: ------------------------------------------------------- Commit d1285eb3855ca1125dab4aac318e8acaf3edf58a in kudu's branch refs/heads/master from Attila Bukor [ https://gitbox.apache.org/repos/asf?p=kudu.git;h=d1285eb ] KUDU-3210 Add thread ID callback to OpenSSL init It seems the race condition bug we worked around in f9f3189a6dbe0636d578d80b1d8e60cf7b2e6686 was caused by using the default thread ID callback. It seems it's not a bug in SafeLogic after all, but this is likely reproducible in upstream OpenSSL as well. We didn't find this before as we always tested in older OpenSSL versions, while the commit[1] responsible for this behavior was included only in OpenSSL 1.0.2i[2]. The threads(3) man page claims that "If the application does not register such a callback using CRYPTO_THREADID_set_callback(), then a default implementation is used - on Windows and BeOS this uses the system's default thread identifying APIs, and on all other platforms it uses the address of errno. The latter is satisfactory for thread-safety if and only if the platform has a thread-local error number facility." This seems to be no longer true in 1.0.2i and later. Redefining the thread ID callback seems to fix the problem without any additional locking and f9f3189a6dbe0636d578d80b1d8e60cf7b2e6686 can be reverted safely. I tested these changes on the host I discovered the race condition. [1] https://github.com/openssl/openssl/commit/a43cfd7bb1fc681d563e5efa75cc926d7e8e5c36 [2] https://mta.openssl.org/pipermail/openssl-commits/2016-September/010743.html Change-Id: Icec6da3a9380206fe6ba4a31ea8fb4dcbc34dd00 Reviewed-on: http://gerrit.cloudera.org:8080/16730 Reviewed-by: Grant Henke <granthe...@apache.org> Reviewed-by: Alexey Serbin <aser...@cloudera.com> Tested-by: Kudu Jenkins > Support FIPS approved mode > -------------------------- > > Key: KUDU-3210 > URL: https://issues.apache.org/jira/browse/KUDU-3210 > Project: Kudu > Issue Type: Improvement > Reporter: Attila Bukor > Assignee: Attila Bukor > Priority: Major > > FIPS 140-2 is a standard used to approve cryptographic modules. Some versions > of OpenSSL support a "FIPS mode" where only approved algorithms and key sizes > are enabled. Kudu should be able to run when FIPS mode is enabled and should > provide a way for admins to require that FIPS mode is enabled. -- This message was sent by Atlassian Jira (v8.3.4#803005)