apache /
kudu /
eda27e3b5d768f10c9fd809d790df919d08bcfdc [security] update list of preferred TLS ciphers
After revising the list of preferred TLS ciphers for Kudu in [1],
it turned out that some FIPS 140-2 environments using custom JSSE
providers (e.g., particular versions of BouncyCastle and CaseLogic)
lack AES-GCM ciphers, so Kudu Java client applications could not
establish a TLS connection to Kudu servers since the AES-CBC ciphers
were intentionally removed from the list due to their inferior
performance compared with AES-GCM counterparts.
This patch addresses the issue, appending AES-CCM and AES-CBC ciphers
to the list of preferred ones. The CBC counterparts of the AES-GCM
ciphers are known to be much less performant on modern x86_64 CPUs,
but at least there should be a shared cipher to establish a connection
using TLSv1.2 protocol in such environments.
This is a follow-up to [1].
[1] https://github.com/apache/kudu/commit/a8fb42dc34e8f1f876db5b26fc3f5eb3196ce854
Change-Id: I2f8e251acd34fc4ede367b030cd16841527042bc
Reviewed-on: http://gerrit.cloudera.org:8080/18900
Reviewed-by: Attila Bukor <abukor@apache.org>
Tested-by: Alexey Serbin <alexey@apache.org>
2 files changed