kudu-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From danburk...@apache.org
Subject kudu git commit: rpc: allow setting --rpc_tls_min_protocol on older RHEL versions
Date Thu, 18 Jan 2018 22:31:56 GMT
Repository: kudu
Updated Branches:
  refs/heads/branch-1.5.x 7d8c9a39c -> e1b8444fc


rpc: allow setting --rpc_tls_min_protocol on older RHEL versions

Change-Id: Ic61f31788d63072fae609c6a2186e52d5e2467b7
Reviewed-on: http://gerrit.cloudera.org:8080/7821
Tested-by: Kudu Jenkins
Reviewed-by: Todd Lipcon <todd@apache.org>
Reviewed-by: Alexey Serbin <aserbin@cloudera.com>
Reviewed-by: Sailesh Mukil <sailesh@cloudera.com>
Reviewed-on: http://gerrit.cloudera.org:8080/9056
Reviewed-by: Jean-Daniel Cryans <jdcryans@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/e1b8444f
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/e1b8444f
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/e1b8444f

Branch: refs/heads/branch-1.5.x
Commit: e1b8444fc9c289d34e36dc351317b430cf8b1002
Parents: 7d8c9a3
Author: Dan Burkert <danburkert@apache.org>
Authored: Thu Aug 24 17:14:25 2017 -0700
Committer: Dan Burkert <dan@cloudera.com>
Committed: Thu Jan 18 22:31:22 2018 +0000

----------------------------------------------------------------------
 src/kudu/security/tls_context.cc | 48 ++++++++++++++++++++++++++---------
 1 file changed, 36 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/e1b8444f/src/kudu/security/tls_context.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/tls_context.cc b/src/kudu/security/tls_context.cc
index b02ce18..dc58667 100644
--- a/src/kudu/security/tls_context.cc
+++ b/src/kudu/security/tls_context.cc
@@ -46,6 +46,27 @@
 #include "kudu/util/status.h"
 #include "kudu/util/user.h"
 
+// Hard code OpenSSL flag values from OpenSSL 1.0.1e[1][2] when compiling
+// against OpenSSL 1.0.0 and below. We detect when running against a too-old
+// version of OpenSSL using these definitions at runtime so that Kudu has full
+// functionality when run against a new OpenSSL version, even if it's compiled
+// against an older version.
+//
+// [1]: https://github.com/openssl/openssl/blob/OpenSSL_1_0_1e/ssl/ssl.h#L605-L609
+// [2]: https://github.com/openssl/openssl/blob/OpenSSL_1_0_1e/ssl/tls1.h#L166-L172
+#ifndef SSL_OP_NO_TLSv1
+#define SSL_OP_NO_TLSv1 0x04000000U
+#endif
+#ifndef SSL_OP_NO_TLSv1_1
+#define SSL_OP_NO_TLSv1_1 0x10000000U
+#endif
+#ifndef TLS1_1_VERSION
+#define TLS1_1_VERSION 0x0302
+#endif
+#ifndef TLS1_2_VERSION
+#define TLS1_2_VERSION 0x0303
+#endif
+
 using strings::Substitute;
 using std::string;
 using std::unique_lock;
@@ -126,22 +147,25 @@ Status TlsContext::Init() {
   //   https://tools.ietf.org/html/rfc7525#section-3.3
   auto options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
 
+  auto max_supported_tls_version = SSLv23_method()->version;
+  DCHECK_GE(max_supported_tls_version, TLS1_VERSION);
+
   if (boost::iequals(FLAGS_rpc_tls_min_protocol, "TLSv1.2")) {
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
-    return Status::InvalidArgument(
-        "--rpc_tls_min_protocol=TLSv1.2 is not be supported on this platform. "
-        "TLSv1 is the latest supported TLS protocol.");
-#else
+    if (max_supported_tls_version < TLS1_2_VERSION) {
+      return Status::InvalidArgument(
+          "invalid minimum TLS protocol version (--rpc_tls_min_protocol): "
+          "this platform does not support TLSv1.2");
+    }
+
     options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
-#endif
   } else if (boost::iequals(FLAGS_rpc_tls_min_protocol, "TLSv1.1")) {
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
-    return Status::InvalidArgument(
-        "--rpc_tls_min_protocol=TLSv1.1 is not be supported on this platform. "
-        "TLSv1 is the latest supported TLS protocol.");
-#else
+    if (max_supported_tls_version < TLS1_1_VERSION) {
+      return Status::InvalidArgument(
+          "invalid minimum TLS protocol version (--rpc_tls_min_protocol): "
+          "this platform does not support TLSv1.1");
+    }
+
     options |= SSL_OP_NO_TLSv1;
-#endif
   } else if (!boost::iequals(FLAGS_rpc_tls_min_protocol, "TLSv1")) {
     return Status::InvalidArgument("unknown value provided for --rpc_tls_min_protocol flag",
                                    FLAGS_rpc_tls_min_protocol);


Mime
View raw message