Yida Wu created IMPALA-14891:
--------------------------------
Summary: Add ssl_maximum_version flag to enforce strict TLS
boundary
Key: IMPALA-14891
URL: https://issues.apache.org/jira/browse/IMPALA-14891
Project: IMPALA
Issue Type: New Feature
Components: Backend
Affects Versions: Impala 5.0.0
Reporter: Yida Wu
Currently, Impala only supports setting ssl_minimum_version, but lacks an
ssl_maximum_version flag. If we want to configure a cluster to use a specific
TLS version exclusively, for example, TLS 1.2 only, they must set
ssl_minimum_version to 1.2 and try to disable TLS 1.3 by configuring
tls_ciphersuites to an empty string.
However, this setting is not sufficient to enforce a TLS 1.2-only setup during
testing. When we enforce this by passing an empty string to tls_ciphersuites,
it can lead to unexpected handshake failures (SSLV3_ALERT_HANDSHAKE_FAILURE)
for the client, and if tls_ciphersuites is not set, default value is used for
tls_ciphersuites, which allows TLS 1.3 to be used.
A solution for this case, is to add the ssl_maximum_version flag to allow
enforcing this kind of strict TLS version control.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
