Repository: kudu
Updated Branches:
refs/heads/master 8067304f6 -> 93ec241a9
[security] add TLS protocol and cipher suite to negotiation trace
No tests, but I manually verified the output looks good:
0216 14:14:45.214356 (+ 48us) server_negotiation.cc:484] Negotiated TLSv1.2 with cipher
suite AES256-GCM-SHA384
Change-Id: Ie1bf0d4cb8b683011e122a87b1856d718ba62331
Reviewed-on: http://gerrit.cloudera.org:8080/6042
Tested-by: Kudu Jenkins
Reviewed-by: Dan Burkert <danburkert@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/93ec241a
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/93ec241a
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/93ec241a
Branch: refs/heads/master
Commit: 93ec241a9cb105d1e7bb680d29ef42ebe173ff8e
Parents: 8067304
Author: Dan Burkert <danburkert@apache.org>
Authored: Thu Feb 16 14:16:15 2017 -0800
Committer: Dan Burkert <danburkert@apache.org>
Committed: Fri Feb 17 00:45:55 2017 +0000
----------------------------------------------------------------------
src/kudu/rpc/client_negotiation.cc | 6 +++++-
src/kudu/rpc/server_negotiation.cc | 6 +++++-
src/kudu/security/tls_handshake.cc | 10 ++++++++++
src/kudu/security/tls_handshake.h | 8 ++++++++
4 files changed, 28 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/kudu/blob/93ec241a/src/kudu/rpc/client_negotiation.cc
----------------------------------------------------------------------
diff --git a/src/kudu/rpc/client_negotiation.cc b/src/kudu/rpc/client_negotiation.cc
index 934b714..63b3929 100644
--- a/src/kudu/rpc/client_negotiation.cc
+++ b/src/kudu/rpc/client_negotiation.cc
@@ -418,9 +418,13 @@ Status ClientNegotiation::HandleTlsHandshake(const NegotiatePB& response)
{
if (ContainsKey(server_features_, TLS_AUTHENTICATION_ONLY) &&
ContainsKey(client_features_, TLS_AUTHENTICATION_ONLY)) {
- TRACE("Negotiated auth-only TLS");
+ TRACE("Negotiated auth-only $0 with cipher suite $1",
+ tls_handshake_.GetProtocol(), tls_handshake_.GetCipherSuite());
return tls_handshake_.FinishNoWrap(*socket_);
}
+
+ TRACE("Negotiated $0 with cipher suite $1",
+ tls_handshake_.GetProtocol(), tls_handshake_.GetCipherSuite());
return tls_handshake_.Finish(&socket_);
}
http://git-wip-us.apache.org/repos/asf/kudu/blob/93ec241a/src/kudu/rpc/server_negotiation.cc
----------------------------------------------------------------------
diff --git a/src/kudu/rpc/server_negotiation.cc b/src/kudu/rpc/server_negotiation.cc
index 078acc7..cf10a12 100644
--- a/src/kudu/rpc/server_negotiation.cc
+++ b/src/kudu/rpc/server_negotiation.cc
@@ -408,9 +408,13 @@ Status ServerNegotiation::HandleTlsHandshake(const NegotiatePB& request)
{
// TLS handshake is finished.
if (ContainsKey(server_features_, TLS_AUTHENTICATION_ONLY) &&
ContainsKey(client_features_, TLS_AUTHENTICATION_ONLY)) {
- TRACE("Negotiated auth-only TLS");
+ TRACE("Negotiated auth-only $0 with cipher suite $1",
+ tls_handshake_.GetProtocol(), tls_handshake_.GetCipherSuite());
return tls_handshake_.FinishNoWrap(*socket_);
}
+
+ TRACE("Negotiated $0 with cipher suite $1",
+ tls_handshake_.GetProtocol(), tls_handshake_.GetCipherSuite());
return tls_handshake_.Finish(&socket_);
}
http://git-wip-us.apache.org/repos/asf/kudu/blob/93ec241a/src/kudu/security/tls_handshake.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/tls_handshake.cc b/src/kudu/security/tls_handshake.cc
index 123a123..26bfa9f 100644
--- a/src/kudu/security/tls_handshake.cc
+++ b/src/kudu/security/tls_handshake.cc
@@ -225,5 +225,15 @@ Status TlsHandshake::GetRemoteCert(Cert* cert) const {
return Status::OK();
}
+string TlsHandshake::GetCipherSuite() const {
+ CHECK(has_started_);
+ return SSL_get_cipher_name(ssl_.get());
+}
+
+string TlsHandshake::GetProtocol() const {
+ CHECK(has_started_);
+ return SSL_get_version(ssl_.get());
+}
+
} // namespace security
} // namespace kudu
http://git-wip-us.apache.org/repos/asf/kudu/blob/93ec241a/src/kudu/security/tls_handshake.h
----------------------------------------------------------------------
diff --git a/src/kudu/security/tls_handshake.h b/src/kudu/security/tls_handshake.h
index 1b293d5..7897d10 100644
--- a/src/kudu/security/tls_handshake.h
+++ b/src/kudu/security/tls_handshake.h
@@ -121,6 +121,14 @@ class TlsHandshake {
// May only be called after 'Finish' or 'FinishNoWrap'.
Status GetRemoteCert(Cert* cert) const WARN_UNUSED_RESULT;
+ // Retrieve the negotiated cipher suite. Only valid to call after the
+ // handshake is complete and before 'Finish()'.
+ std::string GetCipherSuite() const;
+
+ // Retrieve the negotiated TLS protocol version. Only valid to call after the
+ // handshake is complete and before 'Finish()'.
+ std::string GetProtocol() const;
+
private:
friend class TlsContext;
|