kudu-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From danburk...@apache.org
Subject kudu git commit: [security] add TLS protocol and cipher suite to negotiation trace
Date Fri, 17 Feb 2017 00:46:09 GMT
Repository: kudu
Updated Branches:
  refs/heads/master 8067304f6 -> 93ec241a9


[security] add TLS protocol and cipher suite to negotiation trace

No tests, but I manually verified the output looks good:

0216 14:14:45.214356 (+    48us) server_negotiation.cc:484] Negotiated TLSv1.2 with cipher
suite AES256-GCM-SHA384

Change-Id: Ie1bf0d4cb8b683011e122a87b1856d718ba62331
Reviewed-on: http://gerrit.cloudera.org:8080/6042
Tested-by: Kudu Jenkins
Reviewed-by: Dan Burkert <danburkert@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/93ec241a
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/93ec241a
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/93ec241a

Branch: refs/heads/master
Commit: 93ec241a9cb105d1e7bb680d29ef42ebe173ff8e
Parents: 8067304
Author: Dan Burkert <danburkert@apache.org>
Authored: Thu Feb 16 14:16:15 2017 -0800
Committer: Dan Burkert <danburkert@apache.org>
Committed: Fri Feb 17 00:45:55 2017 +0000

----------------------------------------------------------------------
 src/kudu/rpc/client_negotiation.cc |  6 +++++-
 src/kudu/rpc/server_negotiation.cc |  6 +++++-
 src/kudu/security/tls_handshake.cc | 10 ++++++++++
 src/kudu/security/tls_handshake.h  |  8 ++++++++
 4 files changed, 28 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/93ec241a/src/kudu/rpc/client_negotiation.cc
----------------------------------------------------------------------
diff --git a/src/kudu/rpc/client_negotiation.cc b/src/kudu/rpc/client_negotiation.cc
index 934b714..63b3929 100644
--- a/src/kudu/rpc/client_negotiation.cc
+++ b/src/kudu/rpc/client_negotiation.cc
@@ -418,9 +418,13 @@ Status ClientNegotiation::HandleTlsHandshake(const NegotiatePB& response)
{
 
   if (ContainsKey(server_features_, TLS_AUTHENTICATION_ONLY) &&
       ContainsKey(client_features_, TLS_AUTHENTICATION_ONLY)) {
-    TRACE("Negotiated auth-only TLS");
+    TRACE("Negotiated auth-only $0 with cipher suite $1",
+          tls_handshake_.GetProtocol(), tls_handshake_.GetCipherSuite());
     return tls_handshake_.FinishNoWrap(*socket_);
   }
+
+  TRACE("Negotiated $0 with cipher suite $1",
+        tls_handshake_.GetProtocol(), tls_handshake_.GetCipherSuite());
   return tls_handshake_.Finish(&socket_);
 }
 

http://git-wip-us.apache.org/repos/asf/kudu/blob/93ec241a/src/kudu/rpc/server_negotiation.cc
----------------------------------------------------------------------
diff --git a/src/kudu/rpc/server_negotiation.cc b/src/kudu/rpc/server_negotiation.cc
index 078acc7..cf10a12 100644
--- a/src/kudu/rpc/server_negotiation.cc
+++ b/src/kudu/rpc/server_negotiation.cc
@@ -408,9 +408,13 @@ Status ServerNegotiation::HandleTlsHandshake(const NegotiatePB& request)
{
   // TLS handshake is finished.
   if (ContainsKey(server_features_, TLS_AUTHENTICATION_ONLY) &&
       ContainsKey(client_features_, TLS_AUTHENTICATION_ONLY)) {
-    TRACE("Negotiated auth-only TLS");
+    TRACE("Negotiated auth-only $0 with cipher suite $1",
+          tls_handshake_.GetProtocol(), tls_handshake_.GetCipherSuite());
     return tls_handshake_.FinishNoWrap(*socket_);
   }
+
+  TRACE("Negotiated $0 with cipher suite $1",
+        tls_handshake_.GetProtocol(), tls_handshake_.GetCipherSuite());
   return tls_handshake_.Finish(&socket_);
 }
 

http://git-wip-us.apache.org/repos/asf/kudu/blob/93ec241a/src/kudu/security/tls_handshake.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/tls_handshake.cc b/src/kudu/security/tls_handshake.cc
index 123a123..26bfa9f 100644
--- a/src/kudu/security/tls_handshake.cc
+++ b/src/kudu/security/tls_handshake.cc
@@ -225,5 +225,15 @@ Status TlsHandshake::GetRemoteCert(Cert* cert) const {
   return Status::OK();
 }
 
+string TlsHandshake::GetCipherSuite() const {
+  CHECK(has_started_);
+  return SSL_get_cipher_name(ssl_.get());
+}
+
+string TlsHandshake::GetProtocol() const {
+  CHECK(has_started_);
+  return SSL_get_version(ssl_.get());
+}
+
 } // namespace security
 } // namespace kudu

http://git-wip-us.apache.org/repos/asf/kudu/blob/93ec241a/src/kudu/security/tls_handshake.h
----------------------------------------------------------------------
diff --git a/src/kudu/security/tls_handshake.h b/src/kudu/security/tls_handshake.h
index 1b293d5..7897d10 100644
--- a/src/kudu/security/tls_handshake.h
+++ b/src/kudu/security/tls_handshake.h
@@ -121,6 +121,14 @@ class TlsHandshake {
   // May only be called after 'Finish' or 'FinishNoWrap'.
   Status GetRemoteCert(Cert* cert) const WARN_UNUSED_RESULT;
 
+  // Retrieve the negotiated cipher suite. Only valid to call after the
+  // handshake is complete and before 'Finish()'.
+  std::string GetCipherSuite() const;
+
+  // Retrieve the negotiated TLS protocol version. Only valid to call after the
+  // handshake is complete and before 'Finish()'.
+  std::string GetProtocol() const;
+
  private:
   friend class TlsContext;
 


Mime
View raw message