Google Git
Sign in
apache / kudu / eda27e3b5d768f10c9fd809d790df919d08bcfdc
commiteda27e3b5d768f10c9fd809d790df919d08bcfdc[log] [tgz]
authorAlexey Serbin <alexey@apache.org>Tue Aug 23 18:19:39 2022 -0700
committerAlexey Serbin <alexey@apache.org>Wed Aug 31 15:38:30 2022 +0000
treecca1512be9a3e34b8411248b48c0a8b066fd8072
parentee186e572bc35040147bf03bb8f3d4f4d6267863 [diff]
[security] update list of preferred TLS ciphers

After revising the list of preferred TLS ciphers for Kudu in [1],
it turned out that some FIPS 140-2 environments using custom JSSE
providers (e.g., particular versions of BouncyCastle and CaseLogic)
lack AES-GCM ciphers, so Kudu Java client applications could not
establish a TLS connection to Kudu servers since the AES-CBC ciphers
were intentionally removed from the list due to their inferior
performance compared with AES-GCM counterparts.

This patch addresses the issue, appending AES-CCM and AES-CBC ciphers
to the list of preferred ones.  The CBC counterparts of the AES-GCM
ciphers are known to be much less performant on modern x86_64 CPUs,
but at least there should be a shared cipher to establish a connection
using TLSv1.2 protocol in such environments.

This is a follow-up to [1].

[1] https://github.com/apache/kudu/commit/a8fb42dc34e8f1f876db5b26fc3f5eb3196ce854

Change-Id: I2f8e251acd34fc4ede367b030cd16841527042bc
Reviewed-on: http://gerrit.cloudera.org:8080/18900
Reviewed-by: Attila Bukor <abukor@apache.org>
Tested-by: Alexey Serbin <alexey@apache.org>
2 files changed
tree: cca1512be9a3e34b8411248b48c0a8b066fd8072
  1. build-support/
  2. cmake_modules/
  3. docker/
  4. docs/
  5. examples/
  6. java/
  7. kubernetes/
  8. python/
  9. src/
  10. thirdparty/
  11. www/
  12. .dockerignore
  13. .gitignore
  14. .ycm_extra_conf.py
  15. CMakeLists.txt
  16. CONTRIBUTING.adoc
  17. LICENSE.txt
  18. NOTICE.txt
  19. README.adoc
  20. RELEASING.adoc
  21. version.txt