[jira] [Commented] (KUDU-1926) Disable SSL session renegotiation

Mon, 22 Mar 2021 19:32:11 -0700 


    [ 
https://issues.apache.org/jira/browse/KUDU-1926?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17306701#comment-17306701
 ] 

ASF subversion and git services commented on KUDU-1926:
-------------------------------------------------------

Commit d0c0483a15db03c2bb4217d9c9ce15e39c858629 in kudu's branch 
refs/heads/master from Alexey Serbin
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=d0c0483 ]

KUDU-1926: disable TLS/SSL renegotiation

This patch disables TLS ciphers renegotiation for TLSv1.2 and prior
protocol versions.  In case of OpenSSL version 1.1.0h and newer, we are
using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations.  In
case of OpenSSL version prior to 1.1.0a, the undocumented flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used.  See [1], [2] and [3]
for more context.

The moot point is the version interval between 1.1.0a and 1.1.0g
(inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer
available from the application side, but SSL_OP_NO_RENEGOTIATION is not
yet present.  So, if a server binary has been compiled with OpenSSL in
the specified version range, it's still advertising the renegotiation
option, even if it's run against OpenSSL 1.1.0h or later versions.

[1] https://www.openssl.org/docs/man1.1.0/man3/SSL_set_options.html
[2] 
https://github.com/openssl/openssl/blob/f9398cc2b31858ddaaea3f5cfec2fce7f9b90347/CHANGES#L1038-L1049
[3] https://github.com/openssl/openssl/issues/4739

Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Reviewed-on: http://gerrit.cloudera.org:8080/17204
Tested-by: Kudu Jenkins
Reviewed-by: Andrew Wong <aw...@cloudera.com>


> Disable SSL session renegotiation
> ---------------------------------
>
>                 Key: KUDU-1926
>                 URL: https://issues.apache.org/jira/browse/KUDU-1926
>             Project: Kudu
>          Issue Type: Improvement
>          Components: rpc, security
>    Affects Versions: 1.3.0
>            Reporter: Todd Lipcon
>            Assignee: Alexey Serbin
>            Priority: Minor
>
> SSL renegotiation has had a couple of CVEs in the past. We should figure out 
> if it's easy to disable it and do so, since we don't expect to use it in KRPC.
> (it may already be the case that it's disabled by virtue of us not handling 
> SSL_WANT_READ return from ssl_write, and SSL_WANT_WRITE from ssl_read).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to