[
https://issues.apache.org/jira/browse/KUDU-2871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17316392#comment-17316392
]
ASF subversion and git services commented on KUDU-2871:
-------------------------------------------------------
Commit df6590d26de51d67e178c59b50dfcda6ea1244a7 in kudu's branch
refs/heads/master from Alexey Serbin
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=df6590d ]
KUDU-2871 support TLSv1.3 in Kudu RPC (C++ part)
With this patch Kudu servers and Kudu C++ client can use TLSv1.3
for securing Kudu RPC communication. All tests run between C++
components now use TLSv1.3 when compiled with OpenSSL 1.1.1 or newer.
This patch introduces two new server-side flags:
--rpc_tls_ciphersuites
--rpc_tls_excluded_protocols
The former is to customize the list of preferred ciphers for TLSv1.3.
The latter is to control the set of TLS protocols used by Kudu servers
when securing connections for RPC communication. It can be used along
with the --rpc_tls_min_protocol flag to define the set of TLS protocols
available to Kudu servers when running a TLS handshake. For example,
set --rpc_tls_excluded_protocols=TLSv1.3 to exclude TLSv1.3 from
available options for securing Kudu RPC.
In addition, I added a validator for the --rpc_tls_min_protocol flag,
similar to the validator for --rpc_tls_excluded_protocols.
This patch also adds a new test to exercise TLSv1.3 handshake in
the context of establishing a connection for Kudu RPC.
The embedded webserver isn't updated yet with TLSv1.3 cipher controls.
That will be done in a separate patch because it requires pushing an
update to the squeasel webserver to introduce a new TLSv1.3-specific
flag and make a call to SSL_CTX_set_ciphersuites() correspondingly.
Change-Id: Ia92a4d102c3c8cff76101e71ff71d24a9d78b672
Reviewed-on: http://gerrit.cloudera.org:8080/17189
Tested-by: Alexey Serbin <aser...@cloudera.com>
Reviewed-by: Grant Henke <granthe...@apache.org>
> TLS 1.3 not supported by krpc
> -----------------------------
>
> Key: KUDU-2871
> URL: https://issues.apache.org/jira/browse/KUDU-2871
> Project: Kudu
> Issue Type: Bug
> Components: master, rpc, security, tserver
> Affects Versions: 1.8.0, 1.9.0, 1.9.1
> Reporter: Todd Lipcon
> Assignee: Alexey Serbin
> Priority: Major
>
> The TLS negotiation in our RPC protocol assumes a whole number of round trips
> between client and server. For TLS 1.3, the exchange has 1.5 round trips (the
> client is the last sender rather than the server) which breaks negotiation.
> Most tests thus fail with OpenSSL 1.1.1.
> We should temporarily disable TLS 1.3 and then fix RPC to support this.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
